Publish GHSA-9rp8-h4g8-8766

advisory-database[bot] · advisory-database[bot] · commit 3291c463f11e · 2026-01-12T18:08:56.000Z
diff --git a/advisories/github-reviewed/2026/01/GHSA-9rp8-h4g8-8766/GHSA-9rp8-h4g8-8766.json b/advisories/github-reviewed/2026/01/GHSA-9rp8-h4g8-8766/GHSA-9rp8-h4g8-8766.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9rp8-h4g8-8766",
+  "modified": "2026-01-12T18:07:03Z",
+  "published": "2026-01-12T18:07:03Z",
+  "aliases": [
+    "CVE-2026-22251"
+  ],
+  "summary": "Weblate wlc has insecure API key configuration",
+  "details": "### Impact\nHistorically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server.\n\n### Patches\n* https://github.com/WeblateOrg/wlc/pull/1098\n\n### Workarounds\nRemove unscoped `key` from wlc configuration. Only use URL-scoped keys in the `[keys]` sections.\n\n### References\nThis issue was reported to us by [wh1zee](https://hackerone.com/wh1zee) via HackerOne.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "wlc"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.17.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WeblateOrg/wlc/pull/1098"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WeblateOrg/wlc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-922"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-12T18:07:03Z",
+    "nvd_published_at": null
+  }
+}
