EUVD-2026-37006

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...

CVE-2026-48713

CVE-2026-48713 affects i18next-fs-backend prior to 2.6.6. The issue arises when crafted missing-key strings are persisted via missingKeyHandler, where Backend.writeFile() splits keys on keySeparator and the path walker could reach Object.prototype (e.g., a key like "proto .polluted"), allowing pr...

CVE-2026-41693

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting fil...

CVE-2026-41693

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting fil...

CVE-2026-41693 i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting fil...

EUVD-2026-28793

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting fil...

@adaptivestone/framework (>=2.7.3 <=3.0.22), @agsiri/common-utils (>=1.0.0 <=1.2.12) +320 more potentially affected by CVE-2026-41693 via i18next-fs-backend (>=1.0.2 <=2.6.3)

i18next-fs-backend NPM version =1.0.2, =2.7.3, =1.0.0, =0.2.0, =0.3.0, =3.7.0, =0.2.11, =1.1.0, =1.1.1, =1.0.0, =2.0.1, =2.0.1, =2.0.1, =2.0.1, =2.7.1-rc.5 and more Source cves: CVE-2026-41693 Source advisory: OSV:GHSA-8847-338W-5HCJ...

@diia-inhouse/i18n (>=2.8.2 <=2.8.14), @genie23/electron-base (>=0.0.4-alpha <=0.0.225) +53 more potentially affected by CVE-2026-41693 via i18next-fs-backend (>=2.0.0 <=2.6.3)

i18next-fs-backend NPM version =2.0.0, =2.8.2, =0.0.4-alpha, =3.0.0, =7.1.2, =2.4.2, =1.0.0, =1.0.0, =2.4.2, =2.4.2, =2.6.9, =2.4.2, =2.4.2, =2.4.2, =2.4.2, =2.5.5 and more Source cves: CVE-2026-41693 Source advisory: SNYK:JS-I18NEXTFSBACKEND-16415529...

External Control of File Name or Path

Overview i18next-fs-backend is an i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Affected versions of this package are vulnerable to External Control of File Name or Path that leads to raw interpolation of lng and ns value...

GHSA-8847-338W-5HCJ i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

Summary Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled inpu...

i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

Summary Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled inpu...

PT-2026-37153

Name of the Vulnerable Software and Affected Versions i18next-fs-backend versions prior to 2.6.4 Description i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath and addPath templates to read or write files from the disk. Because this interpolation is...