CVE-2026-45106

Published: Jun 10, 2026Modified: Jun 10, 2026Deferred

4.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Exploitability: 2.1 / Impact: 2.5

Source: security-advisories@github.com (Secondary)

Description

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://github.com/WeblateOrg/weblate/pull/19422

Source: security-advisories@github.com

https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5

Source: security-advisories@github.com

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m

Source: security-advisories@github.com

Timeline

No history available yet.