CVE-2026-22251

EUVD-2026-1919
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
GitHub_MCNA
5.3 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
weblatewlc
𝑥
< 1.17.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
wlc
bookworm
no-dsa
bullseye
no-dsa
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797
https://github.com/WeblateOrg/wlc/pull/1098
https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766