Description
Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.
Published: 2026-06-10
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Weblate is a web‑based localization platform that offers a live search preview of translation units. Prior to version 2026.5, the preview rendered the unit source and context fields as raw HTML without escaping. Contributors could therefore insert arbitrary HTML and CSS into these fields, and the content would execute in the authenticated editor of any user whose search matched the unit. The vulnerability is a stored HTML injection (CWE‑79) that enables cross‑site scripting within the Weblate interface, potentially allowing attackers to steal session cookies, inject malicious scripts, or perform other unauthorized actions in the context of authenticated editors.

Affected Systems

WeblateOrg weblate deployments running versions prior to 2026.5 are affected. The fix is available in the release tagged weblate‑2026.5. Any instance that has not applied this update, including older releases such as 2026.4, 2026.3, and earlier, remains vulnerable.

Risk and Exploitability

The CVSS score of 4.6 indicates a medium severity level, and the vulnerability is not listed in CISA’s KEV catalog. The exploit probability is unknown because EPSS is not available. The attack vector is inferred to be local: the attacker must act through a contributor role or otherwise manipulate content in the unit source or context fields. Once an attacker successfully injects malicious HTML, it will persist and execute in the editor for every authenticated user performing a matching search, giving the attacker persistent cross‑site scripting capability within the Weblate instance.

Generated by OpenCVE AI on June 10, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Weblate to version 2026.5 or newer.
  • If an upgrade cannot be performed immediately, disable or remove the live search preview feature until the patch is applied, or restrict contributor permissions so that only trusted users can edit unit source and context.
  • Scan existing translation units for injected HTML or CSS and sanitize or delete any malicious content.

Generated by OpenCVE AI on June 10, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6wxc-8mgq-w26m Weblate: Stored HTML injection in editor search preview
History

Wed, 10 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.
Title Weblate: Stored HTML injection in editor search preview
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T19:56:49.797Z

Reserved: 2026-05-08T19:27:26.699Z

Link: CVE-2026-45106

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-10T20:17:27.220

Modified: 2026-06-10T20:21:20.207

Link: CVE-2026-45106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T21:30:36Z

Weaknesses