CVE-2026-45106: Weblate: Stored HTML injection in editor search preview
(updated )
Weblate’s live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search.
References
- github.com/WeblateOrg/weblate/commit/8b0adf1d0b43dfc0d09da4b878857b2288b84f2d
- github.com/WeblateOrg/weblate/pull/19422
- github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5
- github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m
- github.com/advisories/GHSA-6wxc-8mgq-w26m
- nvd.nist.gov/vuln/detail/CVE-2026-45106
Code Behaviors & Features
Detect and mitigate CVE-2026-45106 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →