CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2026/05/08 3:45 p.m.•6 views

CVE-2026-41886 locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor

CVE•added 2026/05/08 3:45 p.m.•4 views

Exploits0References2

CVE-2026-41886

CVE-2026-41886 affects locize client SDK prior to 4.0.21. The issue is missing validation of event.origin in a window.addEventListener("message", …) handler, allowing an attacker-controlled postMessage to trigger internal handlers (editKey, commitKeys, isLocizeEnabled, etc.). Exploitation require...

ATTACKERKB•added 2026/05/08 3:45 p.m.•4 views

Exploits0References2

CVE-2026-41886

Exploits0References3Affected Software1

ATTACKERKB•added 2026/05/08 3:41 p.m.•3 views

CVE-2026-41885

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/08 3:41 p.m.•2 views

CVE-2026-41885 Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend

EUVD•added 2026/05/08 3:41 p.m.•4 views

EUVD-2026-28795

CVE•added 2026/05/08 3:41 p.m.•5 views

CVE-2026-41885

CVE-2026-41885 affects i18next-locize-backend prior to version 9.0.2. The issue arises when the backend interpolates values (lng, ns, projectId, version) directly into URL templates (loadPath/privatePath/addPath/updatePath/getLanguagesPath) without encoding or validation, enabling user-controlled...

Cvelist•added 2026/05/08 3:41 p.m.•24 views

CVE-2026-41885 Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend

6.5CVSS0.00066EPSS

CNNVD•added 2026/05/08 12:0 a.m.•4 views

locize 跨站脚本漏洞

Locize is an open-source browser text editing tool developed by Locize. Versions of Locize prior to 4.0.21 contained a cross-site scripting vulnerability. This vulnerability stemmed from the window.addEventListenermessage, … handler not verifying the event.origin, which could lead to cross-site...

7.5CVSS5.6AI score0.00016EPSS

CNNVD•added 2026/05/08 12:0 a.m.•3 views

i18next-locize-backend 路径遍历漏洞

i18next-locize-backend is an open-source plugin for internationalization resource loading and key storage by locize. Versions of i18next-locize-backend prior to 9.0.2 had a path traversal vulnerability. This vulnerability arises from directly inserting lng, ns, projectId, and version into the URL...

6.5CVSS5.8AI score0.00066EPSS

vulnersOsv•added 2026/04/22 8:32 p.m.•2 views

@deviceinsight/ng-ui-scale-lib (>=10.0.0 <=10.1.0), locizify (>=6.1.0 <=9.0.9) +1 more potentially affected by CVE-2026-41886 via locize (>=4.0.0 <=4.0.16)

locize NPM version =4.0.0, =10.0.0, =6.1.0, =1.1.11, =2.0.6 Source cves: CVE-2026-41886 Source advisory: SNYK:JS-LOCIZE-16421454...

vulnersOsv•added 2026/04/22 8:32 p.m.•2 views

@deviceinsight/ng-ui-scale-lib (>=9.14.0 <=10.1.0), @namiq/chat-widget (>=0.0.11 <=0.0.15) +6 more potentially affected by CVE-2026-41886 via locize (>=0.0.3 <=4.0.16)

locize NPM version =0.0.3, =9.14.0, =0.0.11, =1.5.0, =0.0.3, =1.0.0, =0.0.1, =0.0.7 Source cves: CVE-2026-41886 Source advisory: OSV:GHSA-W937-FG2H-XHQ2...

OSV•added 2026/04/22 8:32 p.m.•3 views

GHSA-W937-FG2H-XHQ2 locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor

Summary Versions of the locize client SDK the browser module that wires up the locize InContext translation editor prior to 4.0.21 register a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled,...

7.5CVSS5.7AI score0.00016EPSS

Exploits0References6

Github Security Blog•added 2026/04/22 8:32 p.m.•7 views

locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor

7.5CVSS5.7AI score0.00016EPSS

Exploits0References6Affected Software1

Snyk•added 2026/04/22 8:32 p.m.•5 views

Origin Validation Error

Overview locize is a This package adds the incontext editor to your i18next setup. Affected versions of this package are vulnerable to Origin Validation Error in the window.addEventListener message handler due to missing validation of the event.origin property. An attacker can execute arbitrary...

7.5CVSS6AI score0.00016EPSS

Exploits0References3

vulnersOsv•added 2026/04/22 8:28 p.m.•3 views

locizer (>=5.0.0 <=5.0.1), locizify (>=9.0.0 <=9.0.9) +1 more potentially affected by CVE-2026-41885 via i18next-locize-backend (>=9.0.0 <=9.0.1)

i18next-locize-backend NPM version =9.0.0, =5.0.0, =9.0.0, =2.0.0, =2.0.6 Source cves: CVE-2026-41885 Source advisory: SNYK:JS-I18NEXTLOCIZEBACKEND-16415530...

6.5CVSS5.8AI score0.00066EPSS

vulnersOsv•added 2026/04/22 8:28 p.m.•4 views

@aedwards/ohif-viewer (>=5.0.1 <=5.0.14), @bitrefill/airfill-widget (>=3.6.0 <=4.1.7) +55 more potentially affected by CVE-2026-41885 via i18next-locize-backend (>=0.0.1 <=9.0.1)

i18next-locize-backend NPM version =0.0.1, =5.0.1, =3.6.0, =1.7.5, =1.0.5, =9.14.0, =1.0.0, =1.0.1, =0.8.1, =0.8.1, =1.0.0, =1.0.0, =0.0.11, =0.53.0-14, =0.53.3 and more Source cves: CVE-2026-41885 Source advisory: OSV:GHSA-MGCP-MFP8-3Q45...

6.5CVSS5.8AI score0.00066EPSS

Github Security Blog•added 2026/04/22 8:28 p.m.•5 views

i18next-locize-backend has URL Injection via Unsanitized Path Parameters

Summary Versions of i18next-locize-backend prior to 9.0.2 interpolate lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of...