LOWCVE-2026-22250CVSS 2.5

CVE-2026-22250: SSL Bypass in Weblate CLI

Q: What is CVE-2026-22250 — SSL Bypass in Weblate CLI?

CVE-2026-22250 is a LOW severity vulnerability in Weblate CLI versions 1.9 and earlier that allows attackers to bypass SSL verification for crafted URLs, potentially leading to insecure connections.

Q: Am I affected by CVE-2026-22250 in Weblate CLI?

You are affected if you are using Weblate CLI versions 1.9 or earlier. Upgrade to version 1.17.0 or later to mitigate the vulnerability.

Q: How do I fix CVE-2026-22250 in Weblate CLI?

Upgrade Weblate CLI to version 1.17.0 or later. As a temporary workaround, avoid using untrusted Weblate CLI configurations.

Q: Is CVE-2026-22250 being actively exploited?

There is no current evidence of CVE-2026-22250 being actively exploited, but it is important to apply the fix to prevent potential future attacks.

Q: Where can I find the official Weblate advisory for CVE-2026-22250?

Refer to the Weblate GitHub pull request: https://github.com/WeblateOrg/wlc/pull/1097 for details and the fix.

Platform

python

Component

wlc

Fixed in

1.17.1

1.17.0

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-22250 describes an SSL verification bypass vulnerability in Weblate CLI versions up to 1.9. An attacker could potentially exploit this to establish insecure connections by providing crafted URLs. The vulnerability was reported by wh1zee via HackerOne and has been addressed in version 1.17.0.

Impact and Attack Scenarios

This vulnerability allows an attacker to bypass SSL verification when Weblate CLI connects to remote servers. By crafting malicious URLs, an attacker can potentially intercept or manipulate data transmitted between the CLI and the server, leading to man-in-the-middle attacks or unauthorized access. The impact is limited to connections where the attacker can control the URL used by the CLI, and the severity is considered LOW due to the specific conditions required for exploitation.

Exploitation Context

This vulnerability is not currently listed on KEV or EPSS. The CVSS score is LOW (2.5), indicating a limited probability of exploitation. A public proof-of-concept is not currently available. The vulnerability was disclosed publicly on 2026-01-12 through the publication of CVE-2026-22250.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureLow

EPSS

0.01% (0% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentwlc

Vendorosv

Affected rangeFixed in

< 1.17.0 – < 1.17.01.17.1

—1.17.0

Weakness Classification (CWE)

CWE-295

Timeline

Reserved2026-01-07
Published2026-01-12
Modified2026-02-03
EPSS updated2026-03-23

Patched 0 days after disclosure

Mitigation and Workarounds

The primary mitigation is to upgrade Weblate CLI to version 1.17.0 or later, which includes the fix for this vulnerability. As a temporary workaround, avoid using untrusted Weblate CLI configurations, particularly those where the URL is derived from external sources. Regularly review and audit your Weblate CLI configurations to ensure they adhere to secure practices. There are no specific WAF or proxy rules that can directly address this vulnerability, as it lies within the CLI's internal SSL verification logic.

How to fix

Update the `wlc` package to version 1.17.0 or higher. This can be done using the pip package manager with the command `pip install --upgrade wlc`. Ensure you verify that the update was successful.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-22250 — SSL Bypass in Weblate CLI?