Skip to main content

locize SDK EUVDEUVD-2026-28796

| CVE-2026-41886 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
May 08, 2026 - 17:02 EUVD
Source Code Evidence Fetched
May 08, 2026 - 16:32 vuln.today
Analysis Generated
May 08, 2026 - 16:32 vuln.today
CVE Published
May 08, 2026 - 15:45 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on locize (1 direct, 1 indirect)

Ecosystem-wide dependent count for version 4.0.21.

DescriptionGitHub Advisory

locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" - that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host - an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down - could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21.

AnalysisAI

Cross-origin DOM XSS and handler hijacking in the locize client SDK (browser module) allows remote attackers to execute arbitrary JavaScript, steal translation content, and manipulate the InContext editor UI. Attackers exploit missing postMessage origin validation by crafting messages from any embedded iframe, opened window, or parent frame that shares a window reference with a locize-enabled page. The vulnerability affects all versions prior to 4.0.21, with the vendor confirming exploitation through multiple handler paths (editKey, commitKeys, isLocizeEnabled, requestPopupChanges). No public exploit identified at time of analysis, though the GitHub security advisory provides detailed exploitation vectors including innerHTML injection, attribute-based XSS (onclick, href="javascript:"), and API endpoint hijacking to intercept translation data.

Technical ContextAI

The locize SDK is a browser-based JavaScript client for the locize localization platform's InContext editor feature, enabling live translation editing within web applications. The vulnerability stems from an insecure postMessage event listener in src/api/postMessage.js that validates event.data.sender (attacker-controlled payload data) instead of event.origin (browser-enforced source). This violates the Web Messaging API security model where origin validation is mandatory to prevent cross-origin attacks. The CWE-79 classification (Improper Neutralization of Input During Web Page Generation) applies because multiple handlers (editKey, commitKeys, requestPopupChanges) directly assign attacker-controlled payload values to DOM properties (innerHTML, setAttribute, style.setProperty) without sanitization. The affected component is the npm package 'locize' identified by CPE cpe:2.3:a:locize:locize:*:*:*:*:*:*:*:*, specifically versions below 4.0.21. The postMessage listener registers globally on window load, creating a persistent attack surface for any cross-origin context that can establish a window reference relationship.

RemediationAI

Upgrade the locize npm package to version 4.0.21 or later immediately using npm update locize or yarn upgrade locize, as documented in the release notes at https://github.com/locize/locize/releases/tag/v4.0.21. The patch commit d006b75fadb8e8ab77b023e462850fc6e9170735 (https://github.com/locize/locize/commit/d006b75fadb8e8ab77b023e462850fc6e9170735) implements mandatory event.origin validation against an allowlist of trusted editor origins before dispatching to internal handlers, blocking cross-origin postMessage attacks. If immediate upgrade is not feasible, implement defense-in-depth controls: (1) deploy Content Security Policy headers with script-src directives that block inline script execution and restrict script sources to trusted domains, mitigating XSS impact even if innerHTML injection occurs (trade-off: may break legitimate inline scripts in the application); (2) avoid embedding untrusted third-party content in iframes on pages that load the locize SDK, and validate all window.open calls to prevent establishing attacker-controlled window references (trade-off: limits certain integration patterns); (3) disable the InContext editor feature in production environments if not actively used for translation workflows, reducing the attack surface (trade-off: loses live editing capability). Note that CSP alone does not prevent API hijacking via isLocizeEnabled handler - upgrading to 4.0.21 is the only complete fix. Review application logs for unexpected postMessage activity patterns and audit translation content for injected scripts as forensic measures.

Share

EUVD-2026-28796 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy