3 matches found
CVE-2026-41691 i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL templat...
CVE-2026-41691
CVE-2026-41691 affects the i18next-http-backend package. Prior to version 3.0.5, the code interpolated the languages (lng) and namespaces (ns) into loadPath/addPath URL templates without proper encoding or sanitisation, allowing an attacker-controlled language input to alter URL structure and per...
GHSA-8847-338W-5HCJ i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite
Summary Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled inpu...