Lucene search
K

120 matches found

IBM Security Bulletins
IBM Security Bulletins
added 2026/06/25 7:2 p.m.4 views

Security Bulletin: SPSS Collaboration and Deployment Services is affected by vulnerabilities in i18next, follow-redirects, & brace-expansion

Summary SPSS Collaboration and Deployment Services is affected by vulnerabilities in i18next, follow-redirects, & brace-expansion. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2026-40895 DESCRIPTION: follow-redirects is an open source, drop-in replacement fo...

9.1CVSS6AI score0.00486EPSS
Exploits0Affected Software1
EUVD
EUVD
added 2026/06/25 5:28 p.m.11 views

EUVD-2026-37005

i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string...

9.1CVSS5.8AI score0.00419EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/25 5:28 p.m.9 views

EUVD-2026-37006

i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names...

9.1CVSS5.8AI score0.00419EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/15 11:16 p.m.6 views

Prototype Pollution

Overview i18next-fs-backend is an i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Affected versions of this package are vulnerable to Prototype Pollution via the getLastOfPath method. An attacker can modify global object...

9.1CVSS6.5AI score0.00419EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 10:16 p.m.12 views

CVE-2026-48714

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...

9.1CVSS0.00419EPSS
Exploits0References2
CVE
CVE
added 2026/06/15 8:41 p.m.26 views

CVE-2026-48714

The CVE-2026-48714 issue affects i18next-http-middleware prior to 3.9.7. The missingKeyHandler can accept request-body keys like proto , constructor, and prototype (and similar dotted variants) and, when downstream backends such as i18next-fs-backend ≤ 2.6.5 split on keySeparator, passes them to ...

9.1CVSS5.4AI score0.00419EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/15 8:41 p.m.35 views

CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...

9.1CVSS0.00419EPSS
Exploits0References2
OSV
OSV
added 2026/06/15 8:41 p.m.3 views

CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...

9.1CVSS5.9AI score0.00419EPSS
Exploits0References4
CVE
CVE
added 2026/06/15 8:31 p.m.44 views

CVE-2026-48713

CVE-2026-48713 affects i18next-fs-backend prior to 2.6.6. The issue arises when crafted missing-key strings are persisted via missingKeyHandler, where Backend.writeFile() splits keys on keySeparator and the path walker could reach Object.prototype (e.g., a key like "proto .polluted"), allowing pr...

9.1CVSS5.5AI score0.00419EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/15 8:31 p.m.34 views

CVE-2026-48713 i18next-fs-backend: Prototype pollution via crafted missing-key string

Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input. Backend.writeFile splits each queued missing-key string on the configured...

9.1CVSS0.00419EPSS
Exploits0References2
OSV
OSV
added 2026/06/15 8:31 p.m.3 views

CVE-2026-48713 i18next-fs-backend: Prototype pollution via crafted missing-key string

Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input. Backend.writeFile splits each queued missing-key string on the configured...

9.1CVSS6AI score0.00419EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.18 views

PT-2026-49529

Name of the Vulnerable Software and Affected Versions i18next-http-middleware versions prior to 3.9.7 i18next-fs-backend versions 2.6.5 and earlier Description The missingKeyHandler in i18next-http-middleware fails to reject dotted variants of restricted keys, such as proto .polluted, while only...

9.1CVSS5.3AI score0.00419EPSS
Exploits0References9
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/09 3:11 p.m.6 views

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in i18next-http-backend-1.4.5.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in i18next-http-backend-1.4.5.tgz Vulnerability Details CVEID:CVE-2026-41691 DESCRIPTION: Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a...

9.1CVSS5.4AI score0.00251EPSS
Exploits0Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:36 p.m.10 views

CVE-2026-41885

i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...

6.5CVSS5.4AI score0.00224EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.11 views

CVE-2026-41683

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

8.6CVSS5.3AI score0.00327EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:16 p.m.9 views

CVE-2026-42353

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into...

8.2CVSS7.6AI score0.00387EPSS
Exploits0References1
NVD
NVD
added 2026/05/08 4:16 p.m.19 views

CVE-2026-42353

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into...

8.2CVSS0.00387EPSS
Exploits0References1
NVD
NVD
added 2026/05/08 4:16 p.m.24 views

CVE-2026-41693

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting fil...

8.2CVSS0.00292EPSS
Exploits0References1
NVD
NVD
added 2026/05/08 4:16 p.m.18 views

CVE-2026-41885

i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...

6.5CVSS0.00224EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/08 3:41 p.m.6 views

CVE-2026-41885 Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend

i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...

6.5CVSS5.7AI score0.00224EPSS
Exploits0References1
Rows per page
Query Builder