Skip to main content

Weblate CVE-2026-44264

| EUVDEUVD-2026-28388 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 https://github.com/WeblateOrg/weblate GHSA-5cmv-3rc4-7279
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 00:32 vuln.today
Analysis Generated
May 07, 2026 - 00:32 vuln.today
CVE Published
May 07, 2026 - 00:04 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Impact

The Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes.

Patches

  • https://github.com/WeblateOrg/weblate/pull/19259

Workarounds

Even though the attacker might be able to inject code into the HTML, the Weblate's strict CSP should mitigate the risks.

Acknowlegement

Michal Čihař has identified and fixed this vulnerability.

AnalysisAI

Cross-site scripting (XSS) via improper Markdown attribute sanitization in Weblate allows authenticated users to inject malicious HTML attributes through crafted Markdown in user comments and other user-provided content. The vulnerability affects Weblate versions prior to 5.17.1 and can be exploited by any authenticated user with the ability to submit Markdown content; however, the application's strict Content Security Policy (CSP) significantly mitigates actual exploitation risk. Vendor-released patch version 5.17.1 is available.

Technical ContextAI

Weblate uses a Markdown renderer to process user-provided content in comments and other fields. The vulnerability stems from improper escaping of attributes in Markdown image tokens, specifically the image URL and title attributes. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs because the Markdown parser was not properly escaping special characters in URLs and title attributes before embedding them into HTML. The patch introduces explicit HTML escaping using Python's html.escape() function and proper URL encoding to prevent attribute injection attacks. The vulnerable code path involves the render_image() method in weblate/utils/markdown.py, which now properly escapes the title attribute and validates URLs before rendering.

RemediationAI

Apply the vendor-released patch by upgrading Weblate to version 5.17.1 or later. The patch escapes Markdown image URLs and title attributes before rendering, preventing attribute injection. Upgrade instructions are available at https://github.com/WeblateOrg/weblate/pull/19259 and https://github.com/WeblateOrg/weblate/commit/85abc9df88b7464f4c0e794aef752e45f4230f75. As a temporary workaround pending patching, rely on the existing strict Content Security Policy (CSP) configuration to prevent execution of injected JavaScript; verify that CSP headers are properly configured and enforce 'script-src' restrictions. Additionally, restrict the ability to submit Markdown content to trusted users only if operationally feasible, and monitor user comments for suspicious Markdown syntax containing quotes or event handler attributes.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-44264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy