Weblate wlc path traversal vulnerability: Unsanitized API slugs in download command
Multi-translation download could write to an arbitrary location when instructed by a crafted server.
Advisories for Pypi/Wlc package
2026
Weblate wlc has insecure API key configuration
Historically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server.
Weblate command-line client susceptible to SSL verification skip
The SSL verification would be skipped for some crafted URLs.