VYPR
Get started
← All advisories
Medium severity4.3NVD Advisory· Published May 7, 2026· Updated May 11, 2026

CVE-2026-44264

CVE-2026-44264

Description

Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
weblatePyPI
< 5.17.15.17.1

Affected products

1
  • Weblate/Weblate
    cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*
    Range: <5.17.1

Patches

1
85abc9df88b7

fix(utils): correctly escape image target in markdown

https://github.com/WeblateOrg/weblateMichal ČihařApr 27, 2026via ghsa
commitPR #19259
3 files changed · +24 3
  • docs/changes.rst+1 0 modified
    @@ -62,6 +62,7 @@ Weblate 5.17.1
 * The missing file-mask matches :ref:`alert <alerts>` is now restored after rescans that leave only the source translation.
 * Automatic translation from other components now ignores read-only source candidates with empty translations.
 * Markdown rendering now falls back to escaped plain text when the Markdown parser fails.
+* Markdown image URLs are now escaped before rendering.
 
 .. rubric:: Compatibility
  • weblate/utils/markdown.py+6 1 modified
    @@ -3,6 +3,7 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import annotations
 
+import html
 import re
 from functools import reduce
 
@@ -117,7 +118,11 @@ def render_image(self, token: span_token.Image) -> str:
         Otherwise, escape the URL.
         """
         if self.check_url(token.src):
-            return super().render_image(token)
+            template = '<img src="{}" alt="{}"{} />'
+            title = f' title="{html.escape(token.title)}"' if token.title else ""
+            return template.format(
+                self.escape_url(token.src), self.render_to_plain(token), title
+            )
         return self.escape_html_text(f"![{token.title}]({token.src})")
 
     def check_url(self, url: str) -> bool:
  • weblate/utils/tests/test_markdown.py+17 2 modified
    @@ -4,19 +4,24 @@
 
 from unittest.mock import patch
 
-from django.test import TestCase
+from django.test import SimpleTestCase, TestCase
 
 from weblate.auth.models import User
 from weblate.utils.markdown import get_mention_users, render_markdown
 
 
-class MarkdownTestCase(TestCase):
+class MarkdownTestCase(SimpleTestCase):
     def test_link(self) -> None:
         self.assertEqual(
             '<p><a rel="ugc" target="_blank" '
             'href="https://weblate.org/">link</a></p>\n',
             render_markdown("[link](https://weblate.org/)"),
         )
+        self.assertEqual(
+            '<p><a rel="ugc" target="_blank" href="https://e.com/%22%20'
+            'onclick=%22alert(1)">link</a></p>\n',
+            render_markdown('[link](<https://e.com/" onclick="alert(1)>)'),
+        )
 
     def test_js(self) -> None:
         self.assertEqual(
@@ -121,6 +126,16 @@ def test_image(self) -> None:
             '<p><img src="https://valid.link" alt="title" /></p>\n',
             render_markdown("![title](https://valid.link)"),
         )
+        self.assertEqual(
+            '<p><img src="https://e.com/%22%20onerror=%22alert(1)" '
+            'alt="title" /></p>\n',
+            render_markdown('![title](<https://e.com/" onerror="alert(1)>)'),
+        )
+        self.assertEqual(
+            '<p><img src="https://valid.link" alt="ti &quot;tle" '
+            'title="quot&quot;ed" /></p>\n',
+            render_markdown("![ti \"tle](https://valid.link 'quot\"ed')"),
+        )
         self.assertEqual(
             "<p>![](ftp://invalid.link)</p>\n",
             render_markdown("![title](ftp://invalid.link)"),

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.