CVE-2026-45106

CVSS v3.1

4.6

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Impact

Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search.

Patches

https://github.com/WeblateOrg/weblate/pull/19422

Workarounds

Only the search preview on the selected views is affected.

Resources

Weblate thanks @adrgs for reporting this issue responsibly via GitHub.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-45106

GHSA-6WXC-8MGQ-W26M

Affected Products

Weblate

CVE-2026-45106

Impact

Patches

Workarounds

Resources

Weakness Enumeration

Related Identifiers

Affected Products

References · 6