CVE-2026-41886: locize SDK Vulnerability Exposes Apps to Cross-Origin Attacks

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-79cwe-346
CVE-2026-41886: locize SDK Vulnerability Exposes Apps to Cross-Origin Attacks

The National Vulnerability Database has detailed CVE-2026-41886, a critical vulnerability in the locize client SDK (prior to version 4.0.21). This flaw stems from an insecure window.addEventListener("message", ...) handler in src/api/postMessage.js. The handler dispatches to internal functions like editKey and commitKey without validating event.origin. Attackers can exploit this by crafting a postMessage from any web page that can embed or be embedded by a locize-enabled host, bypassing the intended event.data.sender check, which is itself attacker-controlled.

This is a classic cross-origin communication vulnerability (CWE-346) with elements of cross-site scripting (CWE-79). A successful exploit could allow an attacker to trigger internal locize SDK handlers, potentially manipulating localization data or other application states. The National Vulnerability Database assigns this a CVSS score of 7.5 (High), emphasizing the significant impact on integrity and availability, coupled with a low confidentiality impact.

Defenders must understand that this isn’t just a theoretical bug. Any application integrating the vulnerable locize SDK versions is exposed. An attacker’s calculus here is straightforward: find a locize-enabled application, embed it or open it in a new window, and then send a malicious postMessage to trigger sensitive internal logic. The fix, as noted by the National Vulnerability Database, is available in locize SDK version 4.0.21.

What This Means For You

  • If your organization uses locize for localization, immediately verify that your applications are using locize client SDK version 4.0.21 or newer. Prior versions are vulnerable to cross-origin message hijacking. Audit your web applications for any instances embedding or being embedded by third-party content that could exploit this vulnerability to manipulate your localization data.

Related ATT&CK Techniques

T1189 Drive-by Compromise Initial Access T1566.002 Phishing: Spearphishing Attachment Initial Access T1059.003 Command and Scripting Interpreter: Windows Command Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1189 Initial Access

CVE-2026-41886: locize SDK Cross-Origin Message Manipulation

Sigma YAML — free preview 
title: CVE-2026-41886: locize SDK Cross-Origin Message Manipulation
id: scw-2026-05-08-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-41886 by sending a crafted postMessage to a locize-enabled application. The vulnerability lies in the locize client SDK's message handler not validating event.origin, allowing an attacker-controlled message payload to trigger internal handlers. This rule specifically looks for requests that might indicate such an attempt, focusing on the presence of the locize script and a payload that mimics the expected sender within the query parameters, which is a common way such messages might be intercepted or manipulated in a web context.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41886/
tags:
  - attack.initial_access
  - attack.t1189
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/locize.js'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'event.data.sender=i18next-editor-frame'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41886 Information Disclosure locize client SDK versions prior to 4.0.21
CVE-2026-41886 Code Injection window.addEventListener("message", ...) handler in src/api/postMessage.js
CVE-2026-41886 Auth Bypass Lack of event.origin validation in locize client SDK

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma