GHSA-6wxc-8mgq-w26mMediumCVSS 4.6
Weblate: Stored HTML injection in editor search preview
🔗 CVE IDs covered (1)
📋 Description
Impact
Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search.
Patches
- https://github.com/WeblateOrg/weblate/pull/19422
Workarounds
Only the search preview on the selected views is affected.
Resources
Weblate thanks @adrgs for reporting this issue responsibly via GitHub.
🎯 Affected products1
- pip/weblate:< 2026.5
🔗 References (5)
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m
- https://github.com/WeblateOrg/weblate/pull/19422
- https://github.com/WeblateOrg/weblate/commit/8b0adf1d0b43dfc0d09da4b878857b2288b84f2d
- https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5
- https://github.com/advisories/GHSA-6wxc-8mgq-w26m