{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45106", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-08T19:27:26.699Z", "datePublished": "2026-06-10T19:56:49.797Z", "dateUpdated": "2026-06-11T14:05:00.742Z"}, "containers": {"cna": {"title": "Weblate: Stored HTML injection in editor search preview", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m"}, {"name": "https://github.com/WeblateOrg/weblate/pull/19422", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/19422"}, {"name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 2026.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-10T19:56:49.797Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5."}], "source": {"advisory": "GHSA-6wxc-8mgq-w26m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-11T14:04:38.991952Z", "id": "CVE-2026-45106", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T14:05:00.742Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-45106", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-11T14:04:38.991952Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T14:04:42.471Z"}}], "cna": {"title": "Weblate: Stored HTML injection in editor search preview", "source": {"advisory": "GHSA-6wxc-8mgq-w26m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 2026.5"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/19422", "name": "https://github.com/WeblateOrg/weblate/pull/19422", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5", "name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-10T19:56:49.797Z"}}}, "cveMetadata": {"cveId": "CVE-2026-45106", "state": "PUBLISHED", "dateUpdated": "2026-06-11T14:05:00.742Z", "dateReserved": "2026-05-08T19:27:26.699Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-10T19:56:49.797Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5."}], "id": "CVE-2026-45106", "lastModified": "2026-06-10T20:21:20.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-06-10T20:17:27.220", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/pull/19422"}, {"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6wxc-8mgq-w26m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026.5)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "weblate", "source": "cna", "vendor": "WeblateOrg"}, "product": "weblate", "vendor": "weblate"}], "created": "2026-06-10T21:30:36.609250+00:00", "updated": "2026-06-11T10:30:11.842980+00:00", "vendors": ["weblate", "weblate$PRODUCT$weblate"]}