CVE-2026-45106
MEDIUM4.6Weblate: Stored HTML injection in editor search preview
發布日:2026/5/15修改日:2026/5/15
描述
### Impact Weblate's live search preview renders unit `source` and `context` as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. ### Patches * https://github.com/WeblateOrg/weblate/pull/19422 ### Workarounds Only the search preview on the selected views is affected. ### Resources Weblate thanks @adrgs for reporting this issue responsibly via GitHub.
受影響套件(1)
- PyPI/weblatefrom 0, < 2026.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
參考連結(5)
- PATCHhttps://github.com/WeblateOrg/weblate
- WEBhttps://github.com/WeblateOrg/weblate/commit/8b0adf1d0b43dfc0d09da4b878857b2288b84f2d
- WEBhttps://github.com/WeblateOrg/weblate/pull/19422
- WEBhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5
- WEBhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m