locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor

Severity:: High

Description

Versions of the locize client SDK (the browser module that wires up the locize InContext translation editor) prior to 4.0.21 register a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin.

Recommendation

Update the locize package to the latest compatible version. Followings are version details:

Affected version(s): < 4.0.21
Patched version(s): 4.0.21

References

GHSA-w937-fg2h-xhq2
developer.mozilla.org
CVE-2026-41886
CWE-346
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6
OWASP 2021-A7

Related Issues

CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function - CVE-2026-26861
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints - @payloadcms/storage-azure - CVE-2026-34750
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation - CVE-2026-45548

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; locize

Anything's wrong? Let us know Last updated on May 13, 2026