Description
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766
Issue Tracking x_refsource_misc
https://github.com/WeblateOrg/wlc/pull/1098
Scores
CVSS v3
5.3
EPSS
0.0001
EPSS Percentile
0.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
pypi/wlc
0 - 1.17.0PyPI
weblate/wlc
< 1.17.0
Published
Jan 12, 2026
Tracked Since
Feb 18, 2026