CVE-2026-41693

HIGH EPSS 20.8%
Published May 8, 20261mo ago · Modified Jun 17, 20262w ago
8.2 CVSS 3.1
High
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value — containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string — allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4.

CVSS Details

Base Score
8.2
Exploitability
3.9
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
20.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt
CWE-73

References 1

  • github.com https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.