CVE-2026-41886
Received Received - Intake
Cross-Site Scripting in locize Client SDK

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" β€” that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host β€” an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down β€” could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41886
EUVD
EUVD-2026-28796
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
locize locize_client_sdk to 4.0.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the locize client SDK versions prior to 4.0.21. The SDK registers a window.addEventListener("message") handler that dispatches to internal handlers based on the content of the message event. However, it does not validate the event.origin, relying instead on a sender value inside the message payload, which can be controlled by an attacker. This means that any web page that can embed or be embedded by a locize-enabled host can send a crafted postMessage to trigger internal handlers improperly.

Impact Analysis

This vulnerability can allow an attacker to send crafted messages to the locize client SDK, potentially triggering internal handlers that could lead to unauthorized actions or data manipulation. Since the vulnerability affects message handling without proper origin validation, it could be exploited via cross-origin communication, impacting confidentiality, integrity, and availability of the application using the SDK.

Mitigation Strategies

To mitigate this vulnerability, upgrade the locize client SDK to version 4.0.21 or later, where the issue has been patched.

Compliance Impact

CVE-2026-41886 allows attackers to exploit cross-origin DOM-based XSS and hijack internal handlers in the locize client SDK, potentially leading to data leaks and unauthorized manipulation of translation data.

Such unauthorized access and data leakage could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.

Because the vulnerability enables attackers to redirect communication and inject malicious content, it poses risks to confidentiality, integrity, and availability of data, which are core principles in many compliance frameworks.

Therefore, failure to patch this vulnerability could result in non-compliance with standards that mandate secure handling of data and protection against cross-site scripting and origin validation flaws.

Detection Guidance

This vulnerability arises from the locize client SDK prior to version 4.0.21 registering a window.addEventListener("message", ...) handler that does not validate event.origin, allowing crafted postMessage events to trigger internal handlers.

Detection involves monitoring for suspicious or unexpected postMessage events where event.data.sender equals "i18next-editor-frame" but the event.origin is not from the legitimate locize editor iframe (https://incontext.locize.app).

Since the vulnerability is related to DOM-based cross-site scripting via postMessage, you can detect exploitation attempts by inspecting messages sent to the window object in browsers or by instrumenting the application to log or alert on postMessage events with unexpected origins.

There are no specific commands provided in the available resources to detect this vulnerability on a network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41886. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart