Description
locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" — that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host — an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down — could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21.
Published: 2026-05-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

locize's client SDK, before version 4.0.21, registers a message event listener that dispatches to internal handlers without verifying the event's origin. Because validation is performed on an attacker‑controlled payload field instead of the browser–enforced origin, a malicious page can send a crafted postMessage to a locize‑enabled host. The internal handlers can then be invoked, enabling DOM cross‑site scripting and hijacking of key functions such as editKey or commitKey. The vulnerability allows a remote attacker to inject malicious JavaScript into a page that embeds or is embedded by a locize host, potentially compromising user data and application integrity.

Affected Systems

All users of the locize client SDK released before 4.0.21 are affected. The vulnerability applies to any integration that loads the SDK on a web page that can be accessed from or embedded by a third‑party domain. The affected product is the locize client SDK; the vendor is locize. Software versions older than 4.0.21 are vulnerable; versions 4.0.21 and newer contain the origin check that mitigates the issue.

Risk and Exploitability

CVE-2026-41886 carries a CVSS score of 7.5, indicating a high‑severity flaw. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, but the lack of origin validation makes it trivial for any page that can send postMessages to a locize‑enabled host. Attackers can exploit the flaw by embedding the vulnerable SDK in a malicious iframe or by opening the SDK page in a new window and sending a crafted message from an attacker‑controlled origin. Because the flaw exists on the client side and does not require privileged credentials, the risk to systems that expose the SDK to untrusted domains is significant.

Generated by OpenCVE AI on May 8, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the locize client SDK to version 4.0.21 or newer, which adds an origin check to the postMessage listener.
  • If an upgrade cannot be applied immediately, modify the integration code to verify event.origin matches the host’s origin before invoking internal handlers, rejecting messages from other origins.
  • Implement a Content Security Policy that restricts script execution and disallows framing from untrusted domains, thereby limiting the ability of third‑party pages to embed the affected SDK.

Generated by OpenCVE AI on May 8, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w937-fg2h-xhq2 locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor
History

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" — that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host — an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down — could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21.
Title locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor
Weaknesses CWE-346
CWE-79
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:26:51.755Z

Reserved: 2026-04-22T15:11:54.671Z

Link: CVE-2026-41886

cve-icon Vulnrichment

Updated: 2026-05-08T17:09:42.907Z

cve-icon NVD

Status : Received

Published: 2026-05-08T16:16:12.060

Modified: 2026-05-08T16:16:12.060

Link: CVE-2026-41886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T17:45:13Z

Weaknesses