anonhaven
Ad

CVE-2026-22251

MEDIUM CVSS 3.1: 5.5 EPSS 0.01%
Updated Jan 27, 2026
Weblate
Parameter Value
CVSS 5.5 (MEDIUM)
Affected Versions before 1.17.0
Fixed In 1.17.0
Type CWE-200 (Information Exposure)
Vendor Weblate
Public PoC No

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed.

This might cause the API key to be leaked to different servers.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-200 Information Exposure

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Weblate Wlc
cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*
 1.17.0

References 3

https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe807…
security-advisories@github.com
https://github.com/WeblateOrg/wlc/pull/1098
security-advisories@github.com
https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-27457

Weblate

4.3

CVE-2026-24126

Weblate

9.1

CVE-2026-22250

Weblate

5.5

CVE-2025-64326

Weblate

2.6