CVE-2026-41691

CRITICAL EPSS 16.3%
Published May 7, 20261mo ago · Modified Jun 17, 20262w ago
9.1 CVSS 3.1
Critical
Find Similar
Published May 7, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input (the default — i18next-browser-languagedetector reads ?lng= query params, cookies, localStorage, and request headers), an attacker can inject characters that change the structure of the outgoing request URL. This is a single URL-injection vulnerability. The attacker-controlled value is neutralised before it is used as part of an output URL string; the attack shape covers both path traversal and broader URL-structure injection — both are closed by the one interpolateUrl sanitisation fix. This issue has been fixed in version 3.0.5. If users cannot upgrade immediately, they can work around the issue by sanitising lng / ns before they reach i18next (strip .., /, \, ?, #, %, whitespace, and control characters; cap the length).

CVSS Details

Base Score
9.1
Exploitability
3.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
16.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt
CWE-74

Affected Products 1

VendorProductVersionRange
i18nexti18next-http-backend* <3.0.5

References 2

  • github.com https://github.com/i18next/i18next-http-backend/commit/4cee84f229c637b9c182366d3156f726d407a621
    Patch
  • github.com https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/i18next/i18next-http-backend/commit/4cee84f229c637b9c182366d3156f726d407a621
    Patch