Description
Copilot said: i18nextify is a JavaScript library that adds
i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input (the default — i18next-browser-languagedetector reads ?lng= query params, cookies, localStorage, and request headers), an attacker can inject characters that change the structure of the outgoing request URL. This is a single URL-injection vulnerability. The attacker-controlled value is neutralised before it is used as part of an output URL string; the attack shape covers both path traversal and broader URL-structure injection — both are closed by the one interpolateUrl sanitisation fix. This issue has been fixed in version 3.0.5. If users cannot upgrade immediately, they can work around the issue by sanitising lng / ns before they reach i18next (strip .., /, \, ?, #, %, whitespace, and control characters; cap the length).
Published: 2026-05-07
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject characters into the language (lng) and namespace (ns) parameters that are interpolated directly into the URL template used by the i18next-http-backend. This unsanitised input enables path traversal and broader URL‑structure injection (CWE‑22, CWE‑74). An exploit can cause the backend to request arbitrary files from the application’s file system or perform server‑side request forgery against external resources, leading to potential information disclosure or other server‑side side effects.

Affected Systems

i18next i18next-http-backend versions prior to 3.0.5 are affected. The issue exists in JavaScript applications that use the i18next-http-backend package and allow user‑controlled language selection via query parameters, cookies, or headers.

Risk and Exploitability

The CVSS score for this issue is 6.5, indicating medium severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote via user‑controlled input to the language selector, as the description mentions query parameters, cookies, localStorage, and request headers. While no public exploit is reported, the potential to retrieve arbitrary files or external resources makes this a moderate risk, especially for applications that expose the language selection to end users.

Generated by OpenCVE AI on May 7, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade i18next-http-backend to version 3.0.5 or later.
  • If upgrading is not immediately possible, implement the recommended workaround by sanitizing the lng and ns parameters before they reach i18next: strip characters such as "..", "/", "\\", "?", "#", "%", whitespace, control characters, and impose a length limit.
  • Disable or restrict the exposure of language selection to untrusted user input; verify that the language detector does not accept arbitrary values from query strings, cookies, or headers.

Generated by OpenCVE AI on May 7, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q89c-q3h5-w34g i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared I18next
I18next i18next-http-backend
Vendors & Products I18next
I18next i18next-http-backend

Thu, 07 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input (the default — i18next-browser-languagedetector reads ?lng= query params, cookies, localStorage, and request headers), an attacker can inject characters that change the structure of the outgoing request URL. This is a single URL-injection vulnerability. The attacker-controlled value is neutralised before it is used as part of an output URL string; the attack shape covers both path traversal and broader URL-structure injection — both are closed by the one interpolateUrl sanitisation fix. This issue has been fixed in version 3.0.5. If users cannot upgrade immediately, they can work around the issue by sanitising lng / ns before they reach i18next (strip .., /, \, ?, #, %, whitespace, and control characters; cap the length).
Title i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
Weaknesses CWE-22
CWE-74
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

I18next I18next-http-backend
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T20:09:24.093Z

Reserved: 2026-04-22T03:53:24.407Z

Link: CVE-2026-41691

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T21:16:29.560

Modified: 2026-05-07T21:16:29.560

Link: CVE-2026-41691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:30:25Z

Weaknesses