14 matches found
CVE-2026-42353
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into...
CVE-2026-42353 Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into...
CVE-2026-42353
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into...
CVE-2026-41683
CVE-2026-41683 affects i18next-http-middleware prior to 3.9.3. The root cause is that user-controlled language values (lng) were passed, via unsafe escaping, into the Content-Language header, potentially allowing HTTP response splitting or DoS depending on Node.js version. Older i18next (< 19....
CVE-2026-41690 Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters
18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that...
CVE-2026-41690
Summary: CVE-2026-41690 affects i18next-http-middleware
CVE-2026-41690 Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters
18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that...
@ainsleydev/payload-helper (>=0.0.1 <=0.0.2), @bsct/payload (=1.0.0) +97 more potentially affected by CVE-2026-42353 via i18next-http-middleware (>=1.0.4 <=3.9.2)
i18next-http-middleware NPM version =1.0.4, =0.0.1, =1.0.1, =0.0.1, =0.0.1, =0.0.1, =0.1.2, =0.1.1, =8.0.0, =3.0.0, =1.0.0, =1.0.6, =1.0.8 and more Source cves: CVE-2026-42353 Source advisory: OSV:GHSA-JFGF-83C5-2C4M...
PT-2026-36113
Name of the Vulnerable Software and Affected Versions i18next-http-middleware versions prior to 3.9.3 Description The software passes user-controlled lng and ns values from the getResourcesHandler function directly into i18next.services.backendConnector.loadlanguages, namespaces, … without...
@ainsleydev/payload-helper (>=0.0.1 <=0.0.2), @bsct/payload (=1.0.0) +97 more potentially affected by CVE-2026-41683 via i18next-http-middleware (>=1.0.4 <=3.9.2)
i18next-http-middleware NPM version =1.0.4, =0.0.1, =1.0.1, =0.0.1, =0.0.1, =0.0.1, =0.1.2, =0.1.1, =8.0.0, =3.0.0, =1.0.0, =1.0.6, =1.0.8 and more Source cves: CVE-2026-41683 Source advisory: OSV:GHSA-C3H8-G69V-PJRG...
@ainsleydev/payload-helper (>=0.0.1 <=0.0.2), @bsct/payload (=1.0.0) +94 more potentially affected by CVE-2026-41683 via i18next-http-middleware (>=3.0.2 <=3.9.2)
i18next-http-middleware NPM version =3.0.2, =0.0.1, =1.0.1, =0.0.1, =0.0.1, =0.0.1, =0.1.2, =0.1.1, =8.0.0, =3.0.0, =1.0.0, =1.0.6, =1.0.8 and more Source cves: CVE-2026-41683 Source advisory: SNYK:JS-I18NEXTHTTPMIDDLEWARE-16415527...
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header
Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...
@ainsleydev/payload-helper (>=0.0.1 <=0.0.2), @bsct/payload (=1.0.0) +97 more potentially affected by CVE-2026-41690 via i18next-http-middleware (>=1.0.4 <=3.9.2)
i18next-http-middleware NPM version =1.0.4, =0.0.1, =1.0.1, =0.0.1, =0.0.1, =0.0.1, =0.1.2, =0.1.1, =8.0.0, =3.0.0, =1.0.0, =1.0.6, =1.0.8 and more Source cves: CVE-2026-41690 Source advisory: OSV:GHSA-5FGG-JCPF-8JJW...
i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters
Summary Versions of i18next-http-middleware prior to 3.9.3 pass user-controlled lng and ns parameters to two internal paths that use them in ways that enable prototype pollution and, depending on the configured backend, path traversal or SSRF. The vulnerable entry points are unauthenticated HTTP...