CVE Catalog

CVE-2026-45106

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile — higher than 9% of all known CVEs

Summary

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping, potentially allowing malicious code execution.

Risk Assessment

Any user performing a search may be exposed to the execution of malicious HTML and CSS code, creating a risk of XSS attacks within the editor.

Recommendation

It is recommended to upgrade to version 2026.5 to eliminate this vulnerability and secure the environment against potential attacks.

Original NVD description (English source)

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS