Executive Summary

This vulnerability is a stored HTML injection issue in Weblate versions prior to 2026.5. It occurs in the live search preview feature where unit source and context fields are rendered as HTML without proper escaping.

Any contributor who adds content to these fields can inject HTML and CSS code that will execute inside the authenticated editor interface of any user performing a matching search.

This allows malicious code to run within the editor, potentially leading to Cross-Site Scripting (XSS) attacks.

The issue has been fixed in Weblate version 2026.5 by improving HTML generation and sanitization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact users by allowing attackers to execute malicious HTML and CSS code within the authenticated editor interface.

Such code execution can lead to unauthorized actions, data exposure, or manipulation within the Weblate environment.

Since the attack requires low privileges but user interaction (running a matching search), it can be exploited by contributors to affect other authenticated users.

The CVSS score of 4.6 (Medium) reflects the moderate risk posed by this vulnerability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves stored HTML and CSS injection in the unit source and context fields of Weblate's live search preview feature. Detection would involve identifying if your Weblate instance is running a version prior to 2026.5, as those versions are affected.

Since the issue manifests when an authenticated user runs a matching search in the editor, you can detect potential exploitation by monitoring for unusual or unexpected HTML or CSS content in the unit source and context fields.

There are no specific commands provided in the resources to detect this vulnerability on your network or system.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade your Weblate installation to version 2026.5 or later, where this vulnerability has been patched.

The fix includes improved HTML generation to prevent Cross-Site Scripting (XSS), validation of URLs, basic sanitization to avoid undesired links, and safer construction of HTML in the search preview.

Until you can upgrade, consider restricting access to the live search preview feature to trusted users only, and monitor for suspicious content in the affected fields.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Weblate prior to version 2026.5 allows stored HTML and CSS injection in the live search preview, which can execute code within the authenticated editor of users running a matching search. This type of Cross-Site Scripting (XSS) vulnerability can potentially lead to unauthorized access or manipulation of user data.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations. Exploitation could lead to unauthorized disclosure or alteration of personal or sensitive data, thereby potentially impacting compliance.

The issue has been patched in version 2026.5, and applying this update is important to mitigate risks that could affect regulatory compliance.

Useful 0 Not Useful 0