@0xchain/empty (>=0.0.1 <=1.1.0-beta.4), @0xchain/expandable-text (>=0.0.1 <=1.1.0-beta.18) +95 more potentially affected by unknown CVE via next-intl (>=4.0.2 <=4.9.1)

next-intl NPM version =4.0.2, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.0.1, =0.1.0, =0.1.1, =2.2.0, =2.5.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-NEXTINTL-16438971...

next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys

Summary setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys proto, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true...

CVE-2026-40299

A flaw was found in next-intl, a library for internationalization in Next.js applications. A remote attacker could exploit this vulnerability in applications using the next-intl middleware with localePrefix: 'as-needed'. By crafting specific URLs, the attacker could cause the middleware to redire...

next-intl 安全漏洞

next-intl is a Next.js solution developed by Jan Amann. Versions of next-intl prior to 4.9.1 contained a security vulnerability, which was caused by improper handling of middleware pathing, potentially leading to redirection to untrusted hosts...

next-intl has an open redirect vulnerability

Impact Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or control characters stripped by the URL parser, so the middleware coul...

@0xchain/empty (>=0.0.1 <=1.1.0-beta.4), @0xchain/expandable-text (>=0.0.1 <=1.1.0-beta.18) +95 more potentially affected by CVE-2026-40299 via next-intl (>=4.0.2 <=4.9.0)

next-intl NPM version =4.0.2, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.0.1, =0.1.0, =0.1.1, =2.2.0, =2.5.0 and more Source cves: CVE-2026-40299 Source advisory: SNYK:JS-NEXTINTL-15995498...

9s-fe-core (>=1.0.0 <=1.0.16), @0xchain/empty (>=0.0.1 <=1.1.0-beta.4) +161 more potentially affected by CVE-2026-40299 via next-intl (>=1.5.1 <=4.9.0)

next-intl NPM version =1.5.1, =1.0.0, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.0.1, =0.1.0, =0.1.0, =0.1.1 and more Source cves: CVE-2026-40299 Source advisory: OSV:GHSA-8F24-V5VV-GM5J...

GHSA-8F24-V5VV-GM5J next-intl has an open redirect vulnerability

Impact Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or control characters stripped by the URL parser, so the middleware coul...