wlc: print_html outputs API data without HTML escaping
The HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser.
Advisories for Pypi/Wlc package
2026
Weblate wlc path traversal vulnerability: Unsanitized API slugs in download command
Multi-translation download could write to an arbitrary location when instructed by a crafted server.
Weblate wlc has insecure API key configuration
Historically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server.
Weblate command-line client susceptible to SSL verification skip
The SSL verification would be skipped for some crafted URLs.