Skip to main content

Locize

1 CVEs product

Monthly

CVE-2026-41886 npm HIGH PATCH This Week

Cross-origin DOM XSS and handler hijacking in the locize client SDK (browser module) allows remote attackers to execute arbitrary JavaScript, steal translation content, and manipulate the InContext editor UI. Attackers exploit missing postMessage origin validation by crafting messages from any embedded iframe, opened window, or parent frame that shares a window reference with a locize-enabled page. The vulnerability affects all versions prior to 4.0.21, with the vendor confirming exploitation through multiple handler paths (editKey, commitKeys, isLocizeEnabled, requestPopupChanges). No public exploit identified at time of analysis, though the GitHub security advisory provides detailed exploitation vectors including innerHTML injection, attribute-based XSS (onclick, href="javascript:"), and API endpoint hijacking to intercept translation data.

XSS Locize
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-origin DOM XSS and handler hijacking in the locize client SDK (browser module) allows remote attackers to execute arbitrary JavaScript, steal translation content, and manipulate the InContext editor UI. Attackers exploit missing postMessage origin validation by crafting messages from any embedded iframe, opened window, or parent frame that shares a window reference with a locize-enabled page. The vulnerability affects all versions prior to 4.0.21, with the vendor confirming exploitation through multiple handler paths (editKey, commitKeys, isLocizeEnabled, requestPopupChanges). No public exploit identified at time of analysis, though the GitHub security advisory provides detailed exploitation vectors including innerHTML injection, attribute-based XSS (onclick, href="javascript:"), and API endpoint hijacking to intercept translation data.

XSS Locize
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy