Weblate: Stored HTML injection in editor search preview
CVE-2026-45106

4.6MEDIUM

Key Information:

Vendor

Weblateorg

Status
Weblate
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45106?

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.

Affected Version(s)

weblate < 2026.5

References

https://github.com/WeblateOrg/weblate/security/advisories...
x_refsource_CONFIRM
https://github.com/WeblateOrg/weblate/pull/19422
x_refsource_MISC
https://github.com/WeblateOrg/weblate/releases/tag/weblat...
x_refsource_MISC

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.