CVE-2026-22251

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-22251

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22251.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-22251

Aliases

GHSA-9rp8-h4g8-8766

Downstream

DEBIAN-CVE-2026-22251

Published

2026-01-12T17:55:09.699Z

Modified

2026-01-12T19:46:03.586091Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

wlc may leak API keys due to an insecure API key configuration

Details

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22251.json",
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Git / github.com/weblateorg/wlc

Affected ranges

Type

GIT

Repo

https://github.com/weblateorg/wlc

Events

Introduced

Fixed

fb9acf1a58b8572933d2382cb246173b82f17dfb

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.17.0"
        }
    ]
}

Affected versions

0.*

0.1

0.10

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.*

1.0

1.1

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.16.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22251.json"