Skip to main content

Weblate CVE-2026-45106

| EUVDEUVD-2026-36114 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-15 https://github.com/WeblateOrg/weblate GHSA-6wxc-8mgq-w26m
4.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 15, 2026 - 17:33 vuln.today
Analysis Generated
May 15, 2026 - 17:33 vuln.today

DescriptionNVD

Impact

Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search.

Patches

  • https://github.com/WeblateOrg/weblate/pull/19422

Workarounds

Only the search preview on the selected views is affected.

Resources

Weblate thanks @adrgs for reporting this issue responsibly via GitHub.

AnalysisAI

Stored cross-site scripting (XSS) in Weblate allows authenticated contributors to inject HTML and CSS into the live search preview feature, which executes in the browsers of all authenticated users who perform matching searches. The vulnerability stems from improper output escaping of unit source and context fields in the search preview interface. Vendor-released patch available in version 2026.5, confirmed via GitHub advisory GHSA-6wxc-8mgq-w26m and commit 8b0adf1d0b43. CVSS score of 4.6 (Medium) reflects the requirement for low-privilege authentication and user interaction, limiting exploitation scope compared to unauthenticated XSS.

Technical ContextAI

Weblate is a web-based continuous localization platform built on Python (pip package). This vulnerability is a classic stored XSS (CWE-79) where user-supplied data in translation unit 'source' and 'context' fields is rendered in the search preview DOM without HTML entity encoding. The affected component is the client-side JavaScript search preview feature in the authenticated translation editor. When translators search for content, the application dynamically renders matching translation units in a preview pane. The GitHub PR 19422 shows the fix migrated from unsafe jQuery .html() and string concatenation to safe DOM methods like document.createTextNode() and .textContent, which automatically escape HTML entities. The patch also adds URL validation through WLT.URLs.getHttpUrl() to prevent javascript: and data: URI injection in origin links. This is a content sanitization failure at the presentation layer rather than input validation at ingestion, meaning malicious payloads can persist in the database until search triggers rendering.

RemediationAI

Upgrade to Weblate version 2026.5 or later, released 2026-05-XX per GitHub tag weblate-2026.5 (https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5). The patch commit 8b0adf1d0b43dfc0d09da4b878857b2288b84f2d replaces unsafe jQuery .html() and string concatenation with safe DOM methods (document.createTextNode, .textContent) that automatically escape HTML entities in search preview rendering. If immediate upgrade is not possible, the vendor states only the search preview on specific views is affected, suggesting a temporary workaround of restricting contributor access or disabling live search preview via custom frontend modifications, though this is not officially documented and would require code changes to weblate/static/editor/tools/search.js. Organizations should prioritize patching over workarounds given the availability of a clean vendor fix. Post-upgrade, review contributor accounts for suspicious translation unit submissions containing script tags or event handlers in source/context fields, though the XSS only activates on search so historical exploitation evidence may be difficult to surface in logs.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-45106 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy