Listen to this Post
How the CVE Works
The vulnerability exists in the Markdown renderer Weblate uses to process user comments and other user-provided content. The renderer fails to properly sanitize specific HTML attributes, allowing an attacker to inject malicious scripts. An attacker with the ability to submit Markdown content, such as a user with the “Developer” or “Review” role, can craft a Markdown payload containing a malicious HTML attribute, e.g., `` or an element with an `href` attribute that executes JavaScript. When the renderer converts this Markdown to HTML, the unsanitized attribute is left in place and later inserted into the Document Object Model (DOM) of the victim’s browser. The vulnerability is a classic stored cross-site scripting (XSS) vulnerability because the injected script is persistently stored by Weblate. When any user views the page containing the crafted Markdown (e.g., a comment in a translation discussion), the victim’s browser executes the attacker’s script in the context of the Weblate origin. The advisory notes that even though the attacker may be able to inject code, Weblate’s strict Content Security Policy (CSP) mitigates the risk. However, the CSP alone does not fully remediate the vulnerability; it merely reduces the impact. The flaw was fixed in version 5.17.1 by adding proper sanitization of the problematic attributes. The fix is included in pull request 19259 and commit 85abc9df8. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). It received a CVSS v3 base score of 4.3 (moderate) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness was introduced in an unknown version and patched in the 5.17.1 release.
DailyCVE Form
Platform: PyPI
Version: before 5.17.1
Vulnerability : XSS via Markdown
Severity: Moderate
date: 2026-05-07
Prediction: patch 2026-05-14
What Undercode Say:
Check installed weblate version
pip show weblate | grep Version
If version < 5.17.1, upgrade immediately
pip install --upgrade weblate==5.17.1
Verify the commit that fixed the issue
git clone https://github.com/WeblateOrg/weblate.git
cd weblate
git log --oneline | grep 85abc9df8
Test if your instance is vulnerable (requires a user with comment privileges)
curl -X POST https://your-weblate.com/api/comments/ \
-H "Authorization: Token YOUR_API_TOKEN" \
-d "text=<img src=x onerror=alert('XSS')>"
Exploit
A logged-in user with the ability to post comments can insert the following Markdown:
<img src="x" alt="" title="onerror=alert('XSS')" />
or
<a href="javascript:alert('XSS')">Click Me</a>
When another user views the comment, the script executes in their browser, potentially stealing session tokens or performing actions on their behalf.
Protection from this CVE
- Upgrade Weblate to version 5.17.1 or later, which includes the proper sanitization logic.
- Enable and enforce a strict Content Security Policy (CSP) that disallows `unsafe-inline` and restricts script sources to trusted domains only.
- Restrict the ability to post comments or Markdown content to trusted roles only.
- Use a Web Application Firewall (WAF) to detect and block malicious Markdown payloads.
Impact
An attacker who can post crafted Markdown content could execute arbitrary JavaScript in the browsers of other users. While the CSP reduces the risk, the impact could include defacement, phishing attacks, or unauthorized actions performed on behalf of the victim. However, because the vulnerability requires the attacker to have an account with comment privileges, the overall severity is moderate.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
