PatchSiren cyber security CVE debrief
CVE-2026-45106 WeblateOrg CVE debrief
CVE-2026-45106 is a MEDIUM severity vulnerability in Weblate, a web-based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. This allows any contributor whose content reaches those fields to store HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. The vulnerability has been patched in version 2026.5.
- Vendor
- WeblateOrg
- Product
- weblate
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Weblate, especially those allowing user-submitted content, should be aware of this vulnerability and upgrade to version 2026.5 or later.
Technical summary
The vulnerability is caused by the lack of HTML escaping in Weblate's live search preview feature. This allows an attacker to inject malicious HTML and CSS code, which can be executed by other users who run a search matching the injected content.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Weblate version 2026.5 or later.
- Review user-submitted content for suspicious HTML or CSS code.
- Consider implementing additional security measures, such as Content Security Policy (CSP).
Evidence notes
The vulnerability has a CVSS score of 4.6 and is classified as CWE-79: Improper Neutralization of Input During Web Page Generation.
Official resources
CVE-2026-45106 was published on 2026-06-10T20:17:27.220Z and modified on 2026-06-10T20:21:20.207Z.