MEDIUM 4.3 PyPI
Weblate vulnerable to XSS via crafted Markdown
GHSA-5cmv-3rc4-7279 · CVE-2026-44264
Published · Modified
Description
Impact
The Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes.
Patches
Workarounds
Even though the attacker might be able to inject code into the HTML, the Weblate's strict CSP should mitigate the risks.
Acknowlegement
Michal Čihař has identified and fixed this vulnerability.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5cmv-3rc4-7279
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44264
- WEB https://github.com/WeblateOrg/weblate/pull/19259
- WEB https://github.com/WeblateOrg/weblate/commit/85abc9df88b7464f4c0e794aef752e45f4230f75
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1
Ready to move
Start Securing
Free, no credit card | First findings in minutes