CVE-2026-45106 Overview
CVE-2026-45106 is a stored cross-site scripting (XSS) vulnerability in Weblate, a web-based localization tool. Versions prior to 2026.5 render unit source and context fields as HTML in the live search preview without escaping. Any contributor who can write to those fields can persist HTML and CSS payloads. Those payloads execute inside the authenticated editor of every user whose search matches the stored content. The flaw is classified under CWE-79 and was patched in Weblate 2026.5.
Critical Impact
Authenticated contributors can inject persistent HTML or CSS that executes in other users' authenticated sessions when matching searches are performed.
Affected Products
- Weblate versions prior to 2026.5
- Self-hosted Weblate deployments exposing the live search preview
- Hosted Weblate instances running unpatched releases
Discovery Timeline
- 2026-06-10 - CVE-2026-45106 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-45106
Vulnerability Analysis
Weblate's live search preview displays translation units as the user types a query. The preview path renders the unit source and context fields directly into the DOM as HTML rather than as text. Because the fields accept arbitrary contributor input, any markup stored there becomes active content when another user's search matches the unit.
Exploitation requires only contributor-level access to a translation project. The attacker stores HTML or CSS in a translation unit. Victims trigger execution by running a search whose results include the poisoned unit. The payload then executes in the authenticated context of the editor.
Root Cause
The root cause is missing output encoding in the live search preview template. Unit source and context values are emitted into HTML without being escaped or sanitized. This violates the standard contextual output encoding required to prevent CWE-79 stored XSS.
Attack Vector
The attack vector is network-based and requires low privileges plus user interaction. An authenticated contributor stores a malicious string in a translation unit's source or context. Any user who runs a search matching that unit loads the payload in their browser. Because the payload runs in the victim's authenticated session, it can read or modify translation data, abuse CSRF tokens, or stage UI redress through CSS.
No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-6wxc-8mgq-w26m and the fix in pull request 19422 for technical details.
Detection Methods for CVE-2026-45106
Indicators of Compromise
- Translation unit source or context fields containing HTML tags such as <script>, <img onerror=...>, <style>, or <iframe>.
- Unexpected outbound requests from editor sessions to attacker-controlled domains following search activity.
- Audit log entries showing contributor edits that introduce non-translatable markup into source strings.
Detection Strategies
- Query the Weblate database for unit source and context values matching HTML tag patterns and review them manually.
- Inspect browser DevTools network traffic from the editor for resource loads triggered by search previews.
- Correlate contributor edit timestamps with Content Security Policy (CSP) violation reports from the Weblate domain.
Monitoring Recommendations
- Enable and ship CSP violation reports to a central log for analysis.
- Monitor Weblate audit logs for bulk or unusual edits to source and context fields by recently added contributors.
- Alert on access to the live search endpoint that returns units containing HTML-control characters.
How to Mitigate CVE-2026-45106
Immediate Actions Required
- Upgrade all Weblate instances to version 2026.5 or later without delay.
- Audit existing translation units for stored HTML or CSS payloads and sanitize affected entries.
- Review contributor access and revoke accounts that introduced suspicious markup.
Patch Information
The issue is fixed in Weblate 2026.5. The fix adds proper HTML escaping to the live search preview rendering path. See the release notes for weblate-2026.5 and the upstream patch in PR 19422.
Workarounds
- Disable or restrict access to the live search preview until the upgrade is applied.
- Enforce a strict Content Security Policy that blocks inline scripts and untrusted resource origins.
- Limit contributor permissions on projects with broad reviewer audiences until units have been audited.
# Upgrade Weblate via pip in a virtual environment
pip install --upgrade 'Weblate==2026.5'
weblate migrate
weblate collectstatic --noinput
systemctl restart weblate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

