Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in i18next-http-backend-1.4.5.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in i18next-http-backend-1.4.5.tgz Vulnerability Details CVEID:CVE-2026-41691 DESCRIPTION: Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a...

CVE-2026-41693

CVE-2026-41693 affects i18next-fs-backend

i18next-fs-backend 路径遍历漏洞

i18next-fs-backend is an open-source backend layer developed by i18next for Node.js and Deno environments. It is used to load translation resources from the file system. Versions of i18next-fs-backend prior to 2.6.4 contained a path traversal vulnerability. This vulnerability arises from directly...

CVE-2026-41691

CVE-2026-41691 affects the i18next-http-backend package. Prior to version 3.0.5, the code interpolated the languages (lng) and namespaces (ns) into loadPath/addPath URL templates without proper encoding or sanitisation, allowing an attacker-controlled language input to alter URL structure and per...

CVE-2026-41691 i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns

Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL templat...

Directory Traversal

Overview i18next-http-backend is an i18next-http-backend is a backend layer for i18next using in Node.js, in the browser and for Deno. Affected versions of this package are vulnerable to Directory Traversal or other URL manipulation, via unsanitized interpolation of lng and ns values in the...

@26lights/orcha (>=0.1.0 <=2.0.3), @8medusa/admin-bundler (>=1.0.0 <=2.12.10) +1088 more potentially affected by CVE-2026-41691 via i18next-http-backend (>=1.0.12 <=3.0.4)

i18next-http-backend NPM version =1.0.12, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =2.7.0, =0.0.1, =0.0.2, =2.13.1, =2.13.1, =2.13.1, =2.13.1, =0.0.0, =1.0.0, =1.1.4, =1.0.0, =1.0.2 and more Source cves: CVE-2026-41691 Source advisory: OSV:GHSA-Q89C-Q3H5-W34G...

GHSA-Q89C-Q3H5-W34G i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns

Summary Versions of i18next-http-backend prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input the defau...