Affected versions of i18next
allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability.
var init = i18n.init({debug: true}, function(){
var test = i18n.t('__firstName__ __lastName__', {
escapeInterpolation: true,
firstName: '__lastNameHTML__',
lastName: '<script>',
});
console.log(test);
});
// equals "<script> <script>"
Update to version 1.10.3 or later.