Low severityOSV Advisory· Published Jan 12, 2026· Updated Jan 12, 2026

wlc can skip SSL verification

CVE-2026-22250

Description

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
wlcPyPI	< 1.17.0	1.17.0

Affected products

Weblateorg/WlcOSV
Range: 0.1, 0.10, 0.2, …

Patches

a513864ec4da

fix: avoid using startswith for SSL configuration

https://github.com/WeblateOrg/wlcMichal ČihařJan 7, 2026via ghsa

commit

2 files changed · +13 −5

wlc/__init__.py+5 −5 modified

@@ -28,7 +28,8 @@
 DEVEL_URL = "https://github.com/WeblateOrg/wlc"
 API_URL = "http://127.0.0.1:8000/api/"
 USER_AGENT = f"wlc/{__version__}"
-LOCALHOST_NETLOC = "127.0.0.1"
+LOCALHOST_ADDRESSES = {"127.0.0.1", "localhost", "::1", "[::1]"}
+
 TIMESTAMPS = {"last_change"}
 
 
@@ -195,7 +196,7 @@ def invoke_request(self, method, path, data=None, files=None, params=None):
         headers = {"user-agent": USER_AGENT, "Accept": "application/json"}
         if self.key:
             headers["Authorization"] = f"Token {self.key}"
-        verify_ssl = self._should_verify_ssl(path)
+        verify_ssl = self.should_verify_ssl(path)
         kwargs = {
             "headers": headers,
             "verify": verify_ssl,
@@ -371,11 +372,10 @@ def create_language(self, code, name, direction="ltr", plural=None):
         return self.post("languages/", **data)
 
     @staticmethod
-    def _should_verify_ssl(path):
+    def should_verify_ssl(path: str) -> bool:
         """Checks if it should verify ssl certificates."""
         url = urlparse(path)
-        is_localhost = url.netloc.startswith(LOCALHOST_NETLOC)
-        return url.scheme == "https" and (not is_localhost)
+        return url.hostname not in LOCALHOST_ADDRESSES
 
 
 class LazyObject(dict):

wlc/test_wlc.py+8 −0 modified

@@ -300,6 +300,14 @@ def test_create_component_local_files(self) -> None:
                     filemask="po/*.po",
                 )
 
+    def test_should_verify_ssl(self) -> None:
+        self.assertEqual(Weblate.should_verify_ssl("http://localhost/api/"), False)
+        self.assertEqual(Weblate.should_verify_ssl("invalid/api/"), True)
+        self.assertEqual(
+            Weblate.should_verify_ssl("https://localhost.example.com/api/"), True
+        )
+        self.assertEqual(Weblate.should_verify_ssl("http://example.com/api/"), True)
+
 
 class ObjectTestBaseClass(APITest):
     """Base class for objects testing."""

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2mmv-7rrp-g8xhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-22250ghsaADVISORY
github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3ghsax_refsource_MISCWEB
github.com/WeblateOrg/wlc/pull/1097ghsax_refsource_MISCWEB
github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xhghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000