CVE-2026-41886

CVE-2026-41886 is a high-severity cross-site scripting (XSS) vulnerability in locize (npm), affecting versions < 4.0.21. It is fixed in 4.0.21.

Summary

Versions of the locize client SDK (the browser module that wires up the locize InContext translation editor) prior to 4.0.21 register a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin.

The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame", that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host, an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down, could send a crafted postMessage and trigger the internal handlers.

Affected versions

All versions of locize prior to 4.0.21.

Workarounds

No workaround short of upgrading.

Credits

Discovered via an internal security audit of the locize ecosystem.

Impact

Depending on which handler the attacker invokes, distinct consequences follow. All of them share the same root cause: the handlers implicitly assumed the payload came from the real editor iframe.

  • Cross-origin DOM XSS via editKey / commitKeys: the pre-patch handleEditKey assigned attacker-controlled payload values to item.node.innerHTML and to item.node.setAttribute(attr, value). That allowed planting <script>, <img onerror>, or onclick/onload/onfocus event handlers; and on attribute writes, href="javascript:…" / src="data:text/html,<script>…" / style="…" / etc.

  • api.source / api.origin hijack via isLocizeEnabled: the handler set api.source = e.source; api.origin = e.origin, attacker-controlled values. All subsequent sendMessage calls (which post translations, callbacks, etc., back toward api.source) would go to the attacker window rather than the real editor, leaking translation content and any metadata the SDK forwards.

  • CSS-injection / layout-escape via requestPopupChanges: containerStyle.height / .width were interpolated into calc() expressions and popup.style.setProperty() without validation, allowing attackers to inject additional CSS declarations (semicolons, behavior:url() on legacy IE, CSS-exfil patterns) into the popup inline style.

Exploitation requires the attacker-owned page to share a window reference with the locize-enabled host: typical vectors are an iframe on an attacker-controlled page, a window.opener/window.open relationship, or a parent frame that can postMessage into an embedded locize host. The SDK intended model is that only the editor iframe at https://incontext.locize.app (or the configured staging/development origin) can reach these handlers.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2026-41886 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.0.21); upgrading removes the vulnerable code path.

Affected versions

locize (< 4.0.21)

Security releases

locize → 4.0.21 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fixed in 4.0.21. Two layers:

  1. Primary, validate event.origin at the top of window.addEventListener("message", …) in src/api/postMessage.js. The expected origin is the configured iframe origin (getIframeUrl()), so custom environments continue to work. Messages from any other origin are silently dropped before any handler runs.

  2. Defence-in-depth, handleEditKey now rejects dangerous attribute-name writes (on*, style) and javascript: / data: / vbscript: / file: URLs on href / src / action / formaction / xlink:href; innerHTML assignments are sanitised through a throwaway DOMParser document (stripping <script>, <iframe>, <object>, <embed>, <link>, <meta>, <base>, <style> plus event handlers and dangerous URL schemes). Legitimate translation formatting (<b>, <em>, <strong>, <a href="https://…">, etc.) passes through.

  3. CSS-injection, handleRequestPopupChanges now requires containerStyle.height / .width to match a strict CSS length pattern; malformed values are dropped silently.

Frequently Asked Questions

  1. What is CVE-2026-41886? CVE-2026-41886 is a high-severity cross-site scripting (XSS) vulnerability in locize (npm), affecting versions < 4.0.21. It is fixed in 4.0.21. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2026-41886? CVE-2026-41886 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of locize are affected by CVE-2026-41886? locize (npm) versions < 4.0.21 is affected.
  4. Is there a fix for CVE-2026-41886? Yes. CVE-2026-41886 is fixed in 4.0.21. Upgrade to this version or later.
  5. Is CVE-2026-41886 exploitable, and should I be worried? Whether CVE-2026-41886 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41886 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41886? Upgrade locize to 4.0.21 or later.

Other vulnerabilities in locize

Stop the waste.
Protect your environment with Kodem.