CVE-2026-41886 locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor

locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, … without...

CVE-2026-41886

CVE-2026-41886 affects locize client SDK prior to 4.0.21. The issue is missing validation of event.origin in a window.addEventListener("message", …) handler, allowing an attacker-controlled postMessage to trigger internal handlers (editKey, commitKeys, isLocizeEnabled, etc.). Exploitation require...

locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor

Summary Versions of the locize client SDK the browser module that wires up the locize InContext translation editor prior to 4.0.21 register a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled,...

GHSA-W937-FG2H-XHQ2 locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor

Summary Versions of the locize client SDK the browser module that wires up the locize InContext translation editor prior to 4.0.21 register a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled,...