GHSA-GX2M-MCC2-R4P3: GHSA-GX2M-MCC2-R4P3: Cross-Site Scripting via Unescaped HTML Output in Weblate CLI

GHSA-GX2M-MCC2-R4P3: Cross-Site Scripting via Unescaped HTML Output in Weblate CLI

Vulnerability ID: GHSA-GX2M-MCC2-R4P3
CVSS Score: N/A
Published: 2026-04-24

The Weblate Command Line Interface (wlc) package contains a Cross-Site Scripting (XSS) vulnerability due to insufficient sanitization during HTML report generation. The print_html function fails to encode API-retrieved data before embedding it into HTML output, allowing malicious payloads to execute when the generated report is viewed in a web browser.

TL;DR

A missing HTML entity encoding step in the wlc CLI tool permits attackers to execute arbitrary JavaScript if a victim generates and views an HTML-formatted translation report containing injected payloads.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-79
• Attack Vector: Local/Network (via file viewing)
• Vulnerability Type: Cross-Site Scripting (XSS)
• Component: print_html function in wlc/main.py
• Exploit Status: Proof of Concept available
• CVSS Severity: Not explicitly rated

Affected Systems

• Weblate Command Line Interface (wlc)
• wlc (Weblate CLI): All versions prior to the patch in PR #1327 (Fixed in: Latest)

Code Analysis

Commit: 0f3e58f

Fix HTML escaping in print_html by adding format_html_value wrapper.

Exploit Details

• Advisory Context (Test Case PoC): Unit tests demonstrate execution utilizing <svg onload=alert("value")> and <img src=x onerror=alert("value")> payloads.

Mitigation Strategies

• Upgrade the wlc Python package to the latest version incorporating the PR #1327 patch.
• Avoid using the --format html flag and use safe alternative formats like JSON or CSV.
• Implement automatic HTML sanitization pipelines if legacy HTML reports must be viewed.

Remediation Steps:

1. Identify all internal servers or development machines utilizing the wlc tool.
2. Execute pip install --upgrade wlc to ensure the patched version is installed.
3. Verify the patch by running wlc --version and confirming it matches or exceeds the patched release.
4. Audit existing internal automation scripts that may generate HTML reports via wlc and update them to use secure formats or ensure the patched CLI is utilized.

References

• GitHub Security Advisory GHSA-GX2M-MCC2-R4P3
• WeblateOrg wlc PR #1327
• Fix Commit 0f3e58f6

---

Read the full report for GHSA-GX2M-MCC2-R4P3 on our website for more details including interactive diagrams and full exploit analysis.