GHSA-5CMV-3RC4-7279

Vulnerability from github – Published: 2026-05-07 00:04 – Updated: 2026-05-08 21:47
VLAI?
Summary
Weblate vulnerable to XSS via crafted Markdown
Details

Impact

The Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes.

Patches

  • https://github.com/WeblateOrg/weblate/pull/19259

Workarounds

Even though the attacker might be able to inject code into the HTML, the Weblate's strict CSP should mitigate the risks.

Acknowlegement

Michal Čihař has identified and fixed this vulnerability.

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "weblate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T00:04:26Z",
    "nvd_published_at": "2026-05-07T15:16:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe Markdown renderer used in user comments and other user-provided content didn\u0027t properly sanitize some attributes.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/19259\n\n### Workarounds\nEven though the attacker might be able to inject code into the HTML, the Weblate\u0027s strict CSP should mitigate the risks.\n\n### Acknowlegement\nMichal \u010ciha\u0159 has identified and fixed this vulnerability.",
  "id": "GHSA-5cmv-3rc4-7279",
  "modified": "2026-05-08T21:47:44Z",
  "published": "2026-05-07T00:04:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5cmv-3rc4-7279"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/pull/19259"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/commit/85abc9df88b7464f4c0e794aef752e45f4230f75"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WeblateOrg/weblate"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weblate vulnerable to XSS via crafted Markdown"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.