What is GHSA-6wxc-8mgq-w26m?

GHSA-6wxc-8mgq-w26m is a security advisory published by GitHub Security Advisories with Medium severity. Weblate: Stored HTML injection in editor search preview

Which CVE IDs does GHSA-6wxc-8mgq-w26m cover?

GHSA-6wxc-8mgq-w26m covers the following CVE IDs: CVE-2026-45106. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-6wxc-8mgq-w26m?

GHSA-6wxc-8mgq-w26m has a CVSS v3 base score of 4.6, published by GitHub Security Advisories.

Which products are affected by GHSA-6wxc-8mgq-w26m?

GHSA-6wxc-8mgq-w26m affects 1 product, including: pip/weblate:\u003c 2026.5.

GHSA-6wxc-8mgq-w26mMediumCVSS 4.6

Weblate: Stored HTML injection in editor search preview

Vendor

GitHub Security Advisories

Published

May 15, 2026

Last Modified

May 17, 2026

🔗 CVE IDs covered (1)

CVE-2026-45106 →

📋 Description

### Impact Weblate's live search preview renders unit `source` and `context` as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. ### Patches * https://github.com/WeblateOrg/weblate/pull/19422 ### Workarounds Only the search preview on the selected views is affected. ### Resources Weblate thanks @adrgs for reporting this issue responsibly via GitHub.

🎯 Affected products1

pip/weblate:< 2026.5

🔗 References (5)

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m
https://github.com/WeblateOrg/weblate/pull/19422
https://github.com/WeblateOrg/weblate/commit/8b0adf1d0b43dfc0d09da4b878857b2288b84f2d
https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5
https://github.com/advisories/GHSA-6wxc-8mgq-w26m