GHSA-6wxc-8mgq-w26mMediumCVSS 4.6

Weblate: Stored HTML injection in editor search preview

Published
May 15, 2026
Last Modified
May 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search.

Patches

  • https://github.com/WeblateOrg/weblate/pull/19422

Workarounds

Only the search preview on the selected views is affected.

Resources

Weblate thanks @adrgs for reporting this issue responsibly via GitHub.

🎯 Affected products1

  • pip/weblate:< 2026.5

🔗 References (5)