Weblate: Stored HTML injection in editor search preview

GHSA-6wxc-8mgq-w26m · CVE-2026-45106

Published May 15, 2026 · Modified Jun 11, 2026

Description

Impact

Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search.

Patches

https://github.com/WeblateOrg/weblate/pull/19422

Workarounds

Only the search preview on the selected views is affected.

Resources

Weblate thanks @adrgs for reporting this issue responsibly via GitHub.

References

WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-45106
WEB https://github.com/WeblateOrg/weblate/pull/19422
WEB https://github.com/WeblateOrg/weblate/commit/8b0adf1d0b43dfc0d09da4b878857b2288b84f2d
PACKAGE https://github.com/WeblateOrg/weblate
WEB https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes