CVE-2026-41692 - Vulnerability Details

Description

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/localize.js (the replaceInside handler) only guards against a duplicated http:// origin prefix — it does not validate the URL scheme of the substituted value. A translated value such as javascript:alert(1) or data:text/html,<script>...</script> is applied unchanged to the live DOM attribute when an attacker can influence the content of a translation file or the translation-backend response — for example, via a compromised translation CDN, user-contributed locales, a MITM on a plain-HTTP backend, or write access to the translation JSON. This issue was patched in version 4.0.8.

Published: 2026-05-07

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw allows an attacker to inject arbitrary JavaScript into a page by manipulating translation files that the i18nextify library loads. Because the library replaces {{key}} tokens in src and href attributes with the raw translation string without validating the URL scheme, crafted values such as javascript:alert(1) or data:text/html,<script>...</script> are written directly to the DOM, enabling malicious payload execution in the context of the page and leading to classic cross‑site scripting attacks.

Affected Systems

Vendor i18next’s i18nextify library is affected. All releases before version 4.0.8 are vulnerable; upgrading to 4.0.8 or later removes the flaw.

Risk and Exploitability

With a CVSS score of 4.7 the vulnerability is of moderate severity, but the lack of a scheme check gives an attacker the ability to run any JavaScript if they can influence the translation source. Exploitation requires control over the translation JSON, the translation CDN, or a plain‑HTTP backend that can be MITMed. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, yet the potential impact remains that an attacker could deface a page or steal credentials from users if the library is used on a public website.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

i18next

i18nextify

affected

Version	Status	Constraints
`< 4.0.8`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update i18nextify to version 4.0.8 or later to eliminate the vulnerability
Ensure that translation files are served over HTTPS and that only trusted sources can modify them
Validate or restrict user‑contributed locale uploads to avoid injection of malicious translation content

Generated by OpenCVE AI on May 7, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-6457-mxpq-4fqq	i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/i18next/i18nextify/commit/16f23dbcdcf893673587f7a03355bf7ce0a0e49e
https://github.com/i18next/i18nextify/security/advisories/GHSA-6457-mxpq-4fqq

History

Thu, 07 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/localize.js (the replaceInside handler) only guards against a duplicated http:// origin prefix — it does not validate the URL scheme of the substituted value. A translated value such as javascript:alert(1) or data:text/html,<script>...</script> is applied unchanged to the live DOM attribute when an attacker can influence the content of a translation file or the translation-backend response — for example, via a compromised translation CDN, user-contributed locales, a MITM on a plain-HTTP backend, or write access to the translation JSON. This issue was patched in version 4.0.8.
Title		i18nextify is vulnerable to DOM XSS via javascript:/data: URL schemes in translated href/src attributes
Weaknesses		CWE-79 CWE-94
References		https://github.com/i18next/i18nextify/commit/16f23dbcdcf893673587f7a03355bf7ce0a0e49e https://github.com/i18next/i18nextify/security/advisories/GHSA-6457-mxpq-4fqq
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T20:01:59.272Z

Updated: 2026-05-07T20:01:59.272Z

Reserved: 2026-04-22T03:53:24.407Z

Link: CVE-2026-41692

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-07T21:16:29.717

Modified: 2026-05-07T21:16:29.717

Link: CVE-2026-41692

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T21:30:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object