CVE-2026-45106: Stored XSS in Weblate Live Search Preview – Patch Guide
Weblate, a collaborative localization and translation platform, contains a stored cross-site scripting (XSS) vulnerability in its live search preview feature. Before version 2026.5, the tool failed to sanitize HTML and CSS content entered into source fields and context fields by contributors. When another user performs a search that matches this malicious content, the unescaped HTML and CSS executes in their browser within the authenticated Weblate editor environment. Any authenticated user can inject this payload, making it a contributor-level threat that persists and affects all users who trigger the matching search.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.6 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from inadequate output encoding in Weblate's live search preview rendering logic. Specifically, unit source and context fields are rendered as HTML without HTML entity encoding or sanitization. An authenticated contributor can inject arbitrary HTML/CSS into these fields, which are then stored in the database. When any other authenticated user executes a search that includes the malicious unit, the injected payload executes in their browser context with the same privilege level as the editor interface. This is a classic stored XSS vulnerability (CWE-79) where the attack vector is the search preview mechanism rather than direct user input reflection. The CVSS 3.1 score of 4.6 reflects the requirement for authenticated access and user interaction (performing a search), though the impact includes both confidentiality and integrity compromise.
Business impact
For organizations deploying Weblate as a translation management system, this vulnerability creates an insider threat risk. A malicious or compromised contributor account can inject credential-stealing payloads, session hijacking scripts, or UI-spoofing CSS into localization units. Every translator or reviewer searching for related content becomes a potential victim, with attackers capable of capturing authentication tokens, exfiltrating work in progress, or redirecting users to credential harvest pages—all while appearing to originate from the legitimate Weblate application. The damage scope depends on how widely the translation project is accessed; enterprise deployments with hundreds of translators face amplified risk. Additionally, if a contributor account is compromised via credential theft or supply chain attack, the attacker gains a persistent pivot point into the editor environment of all active users.
Affected systems
Weblate versions prior to 2026.5 are affected. The vendor product list in the source data is empty, indicating this is a first-party Weblate vulnerability rather than a third-party component issue. Organizations running Weblate on-premises or as a self-hosted instance need to verify their current version against 2026.5. SaaS instances hosted by Weblate's vendor should be patched automatically, but customers should confirm with their service provider.
Exploitability
The vulnerability requires two conditions: (1) authenticated access to Weblate (contributor or higher privilege), and (2) user interaction in the form of a search that triggers the preview rendering. The attack is not remotely exploitable without valid credentials, and the payload only activates when a search occurs, not on every page load. However, once a malicious unit is injected, it persists indefinitely in the database and will execute for any user searching for related content. The low barrier to entry—a standard contributor account can inject the payload—combined with the wide blast radius (all users performing matching searches) and the persistence of the stored payload make this moderately exploitable within a typical Weblate deployment. No KEV entry indicates this has not yet been observed in active exploitation in the wild at the time of this data.
Remediation
Organizations must upgrade Weblate to version 2026.5 or later to receive the patch. The patch implements proper HTML entity encoding or a sanitization library for the live search preview rendering logic. Alongside the upgrade, consider a post-incident audit: search the Weblate database for any suspicious HTML or script tags in source and context fields that may have been injected prior to patching, and review contributor activity logs for any unexpected field modifications. If a contributor account is suspected of compromise, reset its credentials and audit all modifications made by that account.
Patch guidance
Deploy Weblate 2026.5 or a later version as soon as practical. The patch address the root cause by escaping or sanitizing output in the live search preview. Verify the patch in your vendor advisory and release notes before deployment. For on-premises and self-hosted instances, plan a maintenance window and test the upgrade in a staging environment to confirm no custom plugins or integrations are broken. For SaaS customers, check with your Weblate provider for upgrade status and timeline. Once patched, no manual remediation of stored payloads is typically necessary—the encoding fix prevents re-execution—but a database audit may identify injected content for archival or evidence purposes.
Detection guidance
During live search preview rendering, monitor for unusual HTML tags, script elements, or event handlers in the unit source and context fields displayed to users. Log or alert on contributor modifications to these fields that include <, >, or script-like patterns. If feasible, implement a Web Application Firewall (WAF) rule to block or flag responses from Weblate that contain unescaped script tags in JSON or HTML payloads. Review user session logs and authentication events around the time the vulnerability was active; if a user's browser was redirected or unexpected API calls were made from their session, investigate for session hijacking. Browser console errors or CSP violations may also signal attempted XSS execution. Post-upgrade, baseline search preview behavior to detect future similar issues.
Why prioritize this
This vulnerability merits timely but not emergency patching. The CVSS score of 4.6 (Medium) reflects the authentication and user interaction requirements that limit remote and automated exploitation. However, the stored nature of the payload and the wide audience reach within an organization elevate the practical risk. Teams running large, multi-user Weblate instances should prioritize the 2026.5 upgrade within 30 days. Smaller deployments or those with restricted contributor access can extend the timeline to 60 days. The absence of KEV listing and active exploitation reporting suggests the vulnerability is not yet weaponized at scale, providing a window for organized patching before threat actors develop reliable exploits.
Risk score, explained
The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N yields 4.6. Attack Vector (AV:N) is network-based; the attacker needs only HTTP access. Attack Complexity (AC:L) is low; no special conditions are required. Privileges Required (PR:L) mandates authenticated access—a contributor account. User Interaction (UI:R) requires the victim to perform a search. Scope (S:U) is unchanged; the impact is confined to Weblate. Confidentiality (C:L) and Integrity (I:L) impact reflects potential credential or session theft and UI spoofing, respectively. Availability (A:N) is unaffected. The combination of authentication, search-triggered execution, and limited scope keeps the score in the Medium band, though the persistence and multi-user impact warrant rapid remediation.
Frequently asked questions
Can this vulnerability be exploited without an active Weblate account?
No. The attacker must have at least contributor-level authenticated access to inject the malicious HTML/CSS into source or context fields. Remote, unauthenticated exploitation is not possible. However, a compromised contributor account (via credential theft, phishing, or insider threat) is sufficient to launch the attack.
If we upgrade to 2026.5, will existing malicious payloads in the database stop executing?
Yes. Version 2026.5 implements output encoding, which means the stored malicious HTML will be rendered as plain text or safely escaped when displayed in the live search preview. Existing payloads will no longer execute. However, it is advisable to audit the database for any suspicious content to understand the scope of any prior injection and to preserve evidence if needed.
What is the difference between this stored XSS and a reflected XSS?
Stored XSS persists in the database; any user performing a matching search will see the malicious payload execute without needing to click a link. Reflected XSS requires the victim to click a crafted link that includes the payload in the URL. Stored XSS is generally more dangerous because it affects all users and does not require social engineering to trigger in the same way.
Do we need to rotate all contributor credentials after upgrading?
Not automatically. However, if you suspect a contributor account was compromised and used to inject the payload, reset that account's credentials immediately and audit all changes it made. If you have no evidence of compromise, standard credential rotation practices suffice. Review your Weblate access logs around the time the vulnerability was active to help identify suspicious activity.
This analysis is provided for informational purposes and reflects the state of the vulnerability as of the published date. The information herein does not constitute professional security advice, and organizations should verify all vendor advisories, patch availability, and CVSS scores against official sources. No exploit code or weaponization details are included. Patch version numbers and affected product lists must be confirmed against the vendor's official security advisory before deployment. Organizations should conduct their own risk assessment based on their environment, deployment model, and threat landscape before prioritizing remediation efforts. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings