CVE-2026-45106
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping, potentially allowing malicious code execution.
Risk Assessment
Any user performing a search may be exposed to the execution of malicious HTML and CSS code, creating a risk of XSS attacks within the editor.
Recommendation
It is recommended to upgrade to version 2026.5 to eliminate this vulnerability and secure the environment against potential attacks.
Original NVD description (English source)
Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.

