Based on the description this seems to be improper authorisation. An authenticated user can access data that it’s not supposed to (I assume you need to log in to see the data). The site in question should have a security contact where you can send your proven finding. Something like security@company.com or cert@company.com. They will usually require GPG encryption so the misconfigurstion you are reporting is not snooped (the attachment should be enough).

I’ve come across a few projects that use Weblate or Crowdin for translations. In on of those two you can search for additional projects to translate without having to go trough projects repos. Last one I was checking was probably InkStitch or the ffmpeg webpage.