CVE-2026-22251

low-risk
Published 2026-01-12

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
LOCAL / HIGH complexity

Affected Products (1)

Wlc

Affected Vendors

Weblate

References (3)

Patch https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe8079...
Issue Tracking https://github.com/WeblateOrg/wlc/pull/1098
Vendor Advisory https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766
19
/ 100
low-risk
Severity 14/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal