CVE-2026-40299

A flaw was found in next-intl, a library for internationalization in Next.js applications. A remote attacker could exploit this vulnerability in applications using the next-intl middleware with localePrefix: 'as-needed'. By crafting specific URLs, the attacker could cause the middleware to redire...

CVE-2026-40299

next-intl provides internationalization for Next.js. Applications using the next-intl middleware prior to version 4.9.1with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or...

@0xchain/empty (>=0.0.1 <=1.1.0-beta.4), @0xchain/expandable-text (>=0.0.1 <=1.1.0-beta.18) +101 more potentially affected by CVE-2026-40299 via next-intl (>=4.0.2 <=4.9.0)

next-intl NPM version =4.0.2, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.0.1, =0.1.0, =0.1.1, =2.2.0, =2.5.0 and more Source cves: CVE-2026-40299 Source advisory: SNYK:JS-NEXTINTL-15995498...

9s-fe-core (>=1.0.0 <=1.0.16), @0xchain/empty (>=0.0.1 <=1.1.0-beta.4) +168 more potentially affected by CVE-2026-40299 via next-intl (>=1.5.1 <=4.9.0)

next-intl NPM version =1.5.1, =1.0.0, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.0.1, =0.1.0, =0.1.0, =0.1.1 and more Source cves: CVE-2026-40299 Source advisory: OSV:GHSA-8F24-V5VV-GM5J...