PT-2026-37156 · Locize · Locize

Published

2026-04-22

Updated

2026-05-08

CVE-2026-41886

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L

Name of the Vulnerable Software and Affected Versions locize versions prior to 4.0.21

Description The locize client SDK registers a window.addEventListener("message", …) handler that dispatches to internal handlers such as editKey(), commitKey(), commitKeys(), isLocizeEnabled(), and requestInitialize() without validating event.origin. The listener in src/api/postMessage.js incorrectly relies on event.data.sender === "i18next-editor-frame", a value within the attacker-controlled payload rather than the browser-enforced origin. This allows any web page that can embed or be embedded by a locize-enabled host to send a crafted postMessage and trigger internal handlers. Potential impacts include:

Cross-origin DOM XSS via editKey() and commitKeys() by assigning attacker-controlled values to innerHTML or attributes.
Hijacking of api.source and api.origin via isLocizeEnabled(), leading to the leakage of translation content and metadata to an attacker-controlled window.
CSS injection and layout escape via requestPopupChanges() by interpolating unvalidated containerStyle.height and .width into CSS expressions.

Recommendations Update to version 4.0.21.

Fix

XSS

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-346

Related Identifiers

CVE-2026-41886

GHSA-W937-FG2H-XHQ2

Affected Products

Locize

PT-2026-37156 · Locize · Locize

CVE-2026-41886

Weakness Enumeration

Related Identifiers

Affected Products

References · 9