CVE-2026-45106
MEDIUM4.6Weblate: Stored HTML injection in editor search preview
Published: 5/15/2026Modified: 5/15/2026
Description
### Impact Weblate's live search preview renders unit `source` and `context` as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. ### Patches * https://github.com/WeblateOrg/weblate/pull/19422 ### Workarounds Only the search preview on the selected views is affected. ### Resources Weblate thanks @adrgs for reporting this issue responsibly via GitHub.
Affected packages (1)
- PyPI/weblatefrom 0, < 2026.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
References (5)
- PATCHhttps://github.com/WeblateOrg/weblate
- WEBhttps://github.com/WeblateOrg/weblate/commit/8b0adf1d0b43dfc0d09da4b878857b2288b84f2d
- WEBhttps://github.com/WeblateOrg/weblate/pull/19422
- WEBhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5
- WEBhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m