Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes.
Patches
- https://github.com/WeblateOrg/weblate/pull/19259
Workarounds
Even though the attacker might be able to inject code into the HTML, the Weblate's strict CSP should mitigate the risks.
Acknowlegement
Michal Čihař has identified and fixed this vulnerability.
AnalysisAI
Cross-site scripting (XSS) via improper Markdown attribute sanitization in Weblate allows authenticated users to inject malicious HTML attributes through crafted Markdown in user comments and other user-provided content. The vulnerability affects Weblate versions prior to 5.17.1 and can be exploited by any authenticated user with the ability to submit Markdown content; however, the application's strict Content Security Policy (CSP) significantly mitigates actual exploitation risk. Vendor-released patch version 5.17.1 is available.
Technical ContextAI
Weblate uses a Markdown renderer to process user-provided content in comments and other fields. The vulnerability stems from improper escaping of attributes in Markdown image tokens, specifically the image URL and title attributes. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs because the Markdown parser was not properly escaping special characters in URLs and title attributes before embedding them into HTML. The patch introduces explicit HTML escaping using Python's html.escape() function and proper URL encoding to prevent attribute injection attacks. The vulnerable code path involves the render_image() method in weblate/utils/markdown.py, which now properly escapes the title attribute and validates URLs before rendering.
RemediationAI
Apply the vendor-released patch by upgrading Weblate to version 5.17.1 or later. The patch escapes Markdown image URLs and title attributes before rendering, preventing attribute injection. Upgrade instructions are available at https://github.com/WeblateOrg/weblate/pull/19259 and https://github.com/WeblateOrg/weblate/commit/85abc9df88b7464f4c0e794aef752e45f4230f75. As a temporary workaround pending patching, rely on the existing strict Content Security Policy (CSP) configuration to prevent execution of injected JavaScript; verify that CSP headers are properly configured and enforce 'script-src' restrictions. Additionally, restrict the ability to submit Markdown content to trusted users only if operationally feasible, and monitor user comments for suspicious Markdown syntax containing quotes or event handler attributes.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28388
GHSA-5cmv-3rc4-7279