@ainsleydev/payload-helper (>=0.0.1 <=0.0.2), @bsct/payload (=1.0.0) +89 more potentially affected by CVE-2026-42353 via i18next-http-middleware (>=3.0.2 <=3.9.2)

i18next-http-middleware NPM version =3.0.2, =0.0.1, =1.0.1, =0.0.1, =0.0.1, =0.0.1, =8.0.0, =3.0.0, =1.0.0, =1.0.6, =1.0.0, =0.0.1, =0.0.229 and more Source cves: CVE-2026-42353 Source advisory: SNYK:JS-I18NEXTHTTPMIDDLEWARE-16415528...

Server-side Request Forgery (SSRF)

Overview i18next-http-middleware is an i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the lng and ns parameters used by...

@ainsleydev/payload-helper (>=0.0.1 <=0.0.2), @bsct/payload (=1.0.0) +92 more potentially affected by CVE-2026-42353 via i18next-http-middleware (>=1.0.4 <=3.9.2)

i18next-http-middleware NPM version =1.0.4, =0.0.1, =1.0.1, =0.0.1, =0.0.1, =0.0.1, =8.0.0, =3.0.0, =1.0.0, =1.0.6, =1.0.0, =0.0.1, =0.0.229 and more Source cves: CVE-2026-42353 Source advisory: OSV:GHSA-JFGF-83C5-2C4M...

i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters

Summary Versions of i18next-http-middleware prior to 3.9.3 pass the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.loadlanguages, namespaces, … without any sanitisation. Depending on which backend is configured, the unvalidated path...

GHSA-JFGF-83C5-2C4M i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters

Summary Versions of i18next-http-middleware prior to 3.9.3 pass the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.loadlanguages, namespaces, … without any sanitisation. Depending on which backend is configured, the unvalidated path...

CVE-2026-7381

Plack::Middleware::XSendfile (Perl)

CVE-2026-7381

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting sendfile type to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the...

CVE-2026-7381 Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting sendfile type to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the...

EUVD-2026-26296

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting sendfile type to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the...

GHSA-WR32-99HH-6F35 Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services

Summary An authenticated user can perform Server-Side Request Forgery SSRF by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing...

PT-2026-36113

Name of the Vulnerable Software and Affected Versions i18next-http-middleware versions prior to 3.9.3 Description The software passes user-controlled lng and ns values from the getResourcesHandler function directly into i18next.services.backendConnector.loadlanguages, namespaces, … without...

PT-2026-36018

Name of the Vulnerable Software and Affected Versions Plack::Middleware::XSendfile versions prior to 1.0053 Description Plack::Middleware::XSendfile allows the variation setting sendfile type to be controlled by the client via the X-Sendfile-Type header if it is not defined in the middleware...

Plack::Middleware::XSendfile 信息泄露漏洞

Plack::Middleware::XSendfile is a middleware component developed by MIYAGAWA’s individual developers, designed to provide efficient file transfer support for web applications. Versions of Plack::Middleware::XSendfile prior to 1.0053 contained an information leakage vulnerability. This vulnerabili...

PT-2026-39184

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.5 Description An authenticated user can perform Server-Side Request Forgery SSRF by creating a cluster node that points to an arbitrary internal URL and sending API requests with the X-Node-ID header. The Proxy...

Use of Cache Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to the default KeyGenerator process in the cache middleware not including query parameters when generating cache keys. An attacker can access or cause exposure of user-specific or...

Server-side Request Forgery (SSRF)

Overview @dadigua/hyperchat is a HyperChat Core - Node.js backend and CLI tool with AI chat, MCP support Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in the AI Proxy Middleware component when processing the baseurl argument. An attack...

BigSweetPotatoStudio HyperChat has a Server-Side Request Forgery issue

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request...

GHSA-R2JQ-4H3X-RFJ6 BigSweetPotatoStudio HyperChat has a Server-Side Request Forgery issue

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request...

CVE-2026-7223

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request...

CVE-2026-7223 BigSweetPotatoStudio HyperChat AI Proxy Middleware aiProxyMiddleware.mts fetch server-side request forgery

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request...