Cyber Posture

CVE-2026-41886

High

Published: 08 May 2026

Published
08 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
EPSS Score 0.0001 3.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41886 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing
addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

IA-9 Service Identification and Authentication
addresses: CWE-346

Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.

SC-11 Trusted Path
addresses: CWE-346

Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.

SC-20 Secure Name/Address Resolution Service (Authoritative Source)
addresses: CWE-346

Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.

SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver)
addresses: CWE-346

Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.

SC-23 Session Authenticity
addresses: CWE-346

Mandates origin validation so that only legitimate endpoints can continue the authenticated session.

SI-10 Information Input Validation
addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

SI-15 Information Output Filtering
addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

NVD Description

locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The…

more

pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" — that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host — an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down — could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-79CWE-346

CVEs Like This One

CVE-2026-2101Shared CWE-79
CVE-2025-0817Shared CWE-79
CVE-2025-22751Shared CWE-79
CVE-2024-26006Shared CWE-79
CVE-2025-7760Shared CWE-79
CVE-2026-30862Shared CWE-79
CVE-2025-67614Shared CWE-79
CVE-2025-23489Shared CWE-79
CVE-2026-23807Shared CWE-79
CVE-2025-26989Shared CWE-79

References