Description
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1.
Published: 2026-05-07
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Weblate's Markdown renderer, used for user comments and other content, fails to escape certain attributes. An attacker can embed malicious script fragments that execute when the content is displayed, leading to a client-side XSS condition. The weakness falls under CWE-80. The impact is that an attacker can run arbitrary JavaScript in the victim’s browser session, potentially exfiltrating data or hijacking the interface.

Affected Systems

The vulnerability affects all Weblate releases prior to version 5.17.1 distributed by WeblateOrg. It is present in the comment rendering and any other user‑provided markdown content rendered by the application. No specific sub‑versions are listed in the advisory.

Risk and Exploitability

The CVSS base score of 4.3 suggests a moderate risk level. EPSS is not available, so the probability of exploitation is unknown. The issue is included in a public advisory but no exploit has been reported, and it is not listed in CISA KEV. The likely attack vector is an attacker posting crafted markdown in a user comment, which is inferred from the description. This flow would allow execution of malicious JavaScript in the victim’s browser.

Generated by OpenCVE AI on May 7, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Weblate 5.17.1 release or later to replace the vulnerable Markdown renderer.
  • If upgrading immediately is not possible, disable Markdown rendering for user comments to prevent injection of unsafe attributes.
  • Ensure that any custom markdown processing performs proper escaping of attributes to mitigate the XSS risk, consistent with best practices for input validation against CWE-80.

Generated by OpenCVE AI on May 7, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5cmv-3rc4-7279 Weblate vulnerable to XSS via crafted Markdown
History

Thu, 07 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate weblate
Vendors & Products Weblate
Weblate weblate

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1.
Title Weblate is vulnerable to XSS via crafted Markdown
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Weblate Weblate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T15:05:39.272Z

Reserved: 2026-05-05T16:33:55.845Z

Link: CVE-2026-44264

cve-icon Vulnrichment

Updated: 2026-05-07T15:04:55.310Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T15:16:10.760

Modified: 2026-05-07T15:46:27.607

Link: CVE-2026-44264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T18:00:11Z

Weaknesses