Nixpkgs security tracker
Permalink
CVE-2026-42150
5.1 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): High (H)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): High (H)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
wlc: print_html outputs API data without HTML escaping, enabling stored XSS
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.
References
-
https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3 x_refsource_CONFIRM
-
https://github.com/WeblateOrg/wlc/pull/1327 x_refsource_MISC
-
https://github.com/WeblateOrg/wlc/releases/tag/2.0.0 x_refsource_MISC
Affected products
wlc
- ==< 2.0.0
Package maintainers
-
@xddxdd Yuhui Xu <b980120@hotmail.com>
-
@paperdigits Mica Semrick <mica@silentumbrella.com>
-
@NomisIV Simon Gutgesell <simon@nomisiv.com>
-
@OPNA2608 Cosima Neidahl <opna2608@protonmail.com>