CVE-2026-45106
MEDIUMWeblate: Stored HTML injection in editor search preview
Title source: cnaDescription
Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m
X_Refsource_Misc x_refsource_misc
https://github.com/WeblateOrg/weblate/pull/19422
X_Refsource_Misc x_refsource_misc
https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5
Scores
CVSS v3
4.6
EPSS
0.0021
EPSS Percentile
10.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
pypi/weblate
0 - 2026.5PyPI
WeblateOrg/weblate
< 2026.5
Published
Jun 10, 2026
Tracked Since
Jun 11, 2026