113 matches found
CVE-2026-48714
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...
CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...
EUVD-2026-37006
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...
CVE-2026-48714
The CVE-2026-48714 issue affects i18next-http-middleware prior to 3.9.7. The missingKeyHandler can accept request-body keys like proto , constructor, and prototype (and similar dotted variants) and, when downstream backends such as i18next-fs-backend ≤ 2.6.5 split on keySeparator, passes them to ...
CVE-2026-48713
CVE-2026-48713 affects i18next-fs-backend prior to 2.6.6. The issue arises when crafted missing-key strings are persisted via missingKeyHandler, where Backend.writeFile() splits keys on keySeparator and the path walker could reach Object.prototype (e.g., a key like "proto .polluted"), allowing pr...
EUVD-2026-37005
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input. Backend.writeFile splits each queued missing-key string on the configured...
CVE-2026-48713 i18next-fs-backend: Prototype pollution via crafted missing-key string
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input. Backend.writeFile splits each queued missing-key string on the configured...
PT-2026-49529
Name of the Vulnerable Software and Affected Versions i18next-http-middleware versions prior to 3.9.7 i18next-fs-backend versions 2.6.5 and earlier Description The missingKeyHandler in i18next-http-middleware fails to reject dotted variants of restricted keys, such as proto .polluted, while only...
Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in i18next-http-backend-1.4.5.tgz
Summary IBM Watson Discovery Cartridge affected by vulnerability in i18next-http-backend-1.4.5.tgz Vulnerability Details CVEID:CVE-2026-41691 DESCRIPTION: Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a...
CVE-2026-41885
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...
CVE-2026-41683
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...
CVE-2026-42353
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into...
CVE-2026-42353
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into...
CVE-2026-41693
i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting fil...
CVE-2026-41885
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...
CVE-2026-41885
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...
CVE-2026-41885 Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...
CVE-2026-41885 Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...
CVE-2026-41885
CVE-2026-41885 affects i18next-locize-backend prior to version 9.0.2. The issue arises when the backend interpolates values (lng, ns, projectId, version) directly into URL templates (loadPath/privatePath/addPath/updatePath/getLanguagesPath) without encoding or validation, enabling user-controlled...
EUVD-2026-28795
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...