CVE-2026-22251

MEDIUM

wlc < 1.17.0 - Exposure of Sensitive Information via Unscoped API Key

Title source: llm

Description

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766

Issue Tracking x_refsource_misc

https://github.com/WeblateOrg/wlc/pull/1098

Patch x_refsource_misc

https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0014

EPSS Percentile 3.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

pypi/wlc 0 - 1.17.0PyPI

weblate/wlc < 1.17.0

Published Jan 12, 2026

Tracked Since Feb 18, 2026