CVE-2026-41886 HIGH

CVE-2026-41886: locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor

Vendor Locize
Product locize
Weakness CWE-79 · XSS
Published May 8, 2026
Last update May 8, 2026
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" — that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host — an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down — could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-9304 LocateAndFilter <= 1.6.14 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2026-42611 Grav: Stored XSS via Tag Injection CVE-2024-30556 WordPress Mighty Classic Pros And Cons plugin <= 2.0.9 - Cross Site Scripting (XSS) vulnerability CVE-2026-4335 ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title CVE-2021-38358 MoolaMojo <= 0.7.4.1 Reflected Cross-Site Scripting