CVE-2026-22251

medium

Description

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

References

https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766

https://github.com/WeblateOrg/wlc/pull/1098

https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797

Details

Source: Mitre, NVD

Published: 2026-01-12

Updated: 2026-01-13

Risk Information

CVSS v2

Base Score: 3.8

Vector: CVSS2#AV:L/AC:H/Au:S/C:C/I:N/A:N

Severity: Low

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00011