CVE-2026-22251 — Weblate wlc has insecure API key configuration

Description

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

How to fix CVE-2026-22251

To remediate CVE-2026-22251, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.17.0 or later

Is CVE-2026-22251 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 1.17.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-22251
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-22251
PATCHgithub.com/WeblateOrg/wlc
WEBgithub.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797
WEB