CVE-2026-41886
Cross-Site Scripting in locize Client SDK
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| locize | locize_client_sdk | to 4.0.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the locize client SDK versions prior to 4.0.21. The SDK registers a window.addEventListener("message") handler that dispatches to internal handlers based on the content of the message event. However, it does not validate the event.origin, relying instead on a sender value inside the message payload, which can be controlled by an attacker. This means that any web page that can embed or be embedded by a locize-enabled host can send a crafted postMessage to trigger internal handlers improperly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-41886 allows attackers to exploit cross-origin DOM-based XSS and hijack internal handlers in the locize client SDK, potentially leading to data leaks and unauthorized manipulation of translation data.
Such unauthorized access and data leakage could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.
Because the vulnerability enables attackers to redirect communication and inject malicious content, it poses risks to confidentiality, integrity, and availability of data, which are core principles in many compliance frameworks.
Therefore, failure to patch this vulnerability could result in non-compliance with standards that mandate secure handling of data and protection against cross-site scripting and origin validation flaws.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from the locize client SDK prior to version 4.0.21 registering a window.addEventListener("message", ...) handler that does not validate event.origin, allowing crafted postMessage events to trigger internal handlers.
Detection involves monitoring for suspicious or unexpected postMessage events where event.data.sender equals "i18next-editor-frame" but the event.origin is not from the legitimate locize editor iframe (https://incontext.locize.app).
Since the vulnerability is related to DOM-based cross-site scripting via postMessage, you can detect exploitation attempts by inspecting messages sent to the window object in browsers or by instrumenting the application to log or alert on postMessage events with unexpected origins.
There are no specific commands provided in the available resources to detect this vulnerability on a network or system.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to send crafted messages to the locize client SDK, potentially triggering internal handlers that could lead to unauthorized actions or data manipulation. Since the vulnerability affects message handling without proper origin validation, it could be exploited via cross-origin communication, impacting confidentiality, integrity, and availability of the application using the SDK.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the locize client SDK to version 4.0.21 or later, where the issue has been patched.