CVE-2026-45106: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WeblateOrg weblate
Weblate versions prior to 2026. 5 contain a cross-site scripting (XSS) vulnerability in the live search preview feature. The vulnerability arises because unit source and context fields are rendered as HTML without proper escaping, allowing contributors to store malicious HTML and CSS. This malicious content executes within the authenticated editor of users performing matching searches. The issue has been fixed in version 2026. 5.
AI Analysis
Technical Summary
CVE-2026-45106 is a cross-site scripting vulnerability (CWE-79) in Weblate, a web-based localization tool. Before version 2026.5, the live search preview feature renders unit source and context fields as HTML without escaping, enabling contributors to inject HTML and CSS that execute in the context of authenticated users' editors when they run matching searches. This vulnerability allows limited impact on confidentiality and integrity but does not affect availability. The vulnerability is patched in version 2026.5.
Potential Impact
An attacker who can contribute content to the affected fields can inject HTML and CSS that execute in the browser of authenticated users running matching searches. This can lead to limited confidentiality and integrity impacts within the authenticated session context. There is no impact on availability. No known exploits are reported in the wild.
Mitigation Recommendations
This vulnerability is fixed in Weblate version 2026.5. Users should upgrade to version 2026.5 or later to remediate this issue. No additional mitigations are indicated by the vendor advisory.
CVE-2026-45106: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WeblateOrg weblate
Description
Weblate versions prior to 2026. 5 contain a cross-site scripting (XSS) vulnerability in the live search preview feature. The vulnerability arises because unit source and context fields are rendered as HTML without proper escaping, allowing contributors to store malicious HTML and CSS. This malicious content executes within the authenticated editor of users performing matching searches. The issue has been fixed in version 2026. 5.
CVSS v3.1
Score 4.6medium
Affected software
pkg:github/weblateorg/weblateRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45106 is a cross-site scripting vulnerability (CWE-79) in Weblate, a web-based localization tool. Before version 2026.5, the live search preview feature renders unit source and context fields as HTML without escaping, enabling contributors to inject HTML and CSS that execute in the context of authenticated users' editors when they run matching searches. This vulnerability allows limited impact on confidentiality and integrity but does not affect availability. The vulnerability is patched in version 2026.5.
Potential Impact
An attacker who can contribute content to the affected fields can inject HTML and CSS that execute in the browser of authenticated users running matching searches. This can lead to limited confidentiality and integrity impacts within the authenticated session context. There is no impact on availability. No known exploits are reported in the wild.
Mitigation Recommendations
This vulnerability is fixed in Weblate version 2026.5. Users should upgrade to version 2026.5 or later to remediate this issue. No additional mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T19:27:26.699Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a29c2720e53e738838993a7
Added to database: 6/10/2026, 8:00:50 PM
Last enriched: 6/10/2026, 8:14:09 PM
Last updated: 6/10/2026, 9:08:19 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.