CVE-2026-41691— i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41691
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
Source: NVD (National Vulnerability Database)
Vulnerability Description
Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input (the default — i18next-browser-languagedetector reads ?lng= query params, cookies, localStorage, and request headers), an attacker can inject characters that change the structure of the outgoing request URL. This is a single URL-injection vulnerability. The attacker-controlled value is neutralised before it is used as part of an output URL string; the attack shape covers both path traversal and broader URL-structure injection — both are closed by the one interpolateUrl sanitisation fix. This issue has been fixed in version 3.0.5. If users cannot upgrade immediately, they can work around the issue by sanitising lng / ns before they reach i18next (strip .., /, \, ?, #, %, whitespace, and control characters; cap the length).
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
i18next-http-backend 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
i18next-http-backend是i18next开源的一个跨平台的后端资源加载工具。 i18next-http-backend 3.0.5之前版本存在路径遍历漏洞,该漏洞源于将lng和ns值直接插入URL模板而未进行编码、验证或路径清理,可能导致URL注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| i18next | i18next-http-backend | < 3.0.5 | - |
II. Public POCs for CVE-2026-41691
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41691
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: i18next
- CVE-2026-41693
i18next-fs-backend: Path traversal via unsanitised lng/ns al - CVE-2026-42353
Path traversal / SSRF in i18next-http-middleware via user-co - CVE-2026-41683
HTTP response splitting and DoS in i18next-http-middleware v - CVE-2026-41690
Prototype pollution and path traversal in i18next-http-middl - CVE-2026-41692
i18nextify is vulnerable to DOM XSS via javascript:/data: UR
Same weakness: CWE-22
- CVE-2026-8274
npitre cramfs-tools Directory cramfsck.c do_directory path t - CVE-2022-50956
WordPress Plugin amministrazione-aperta 3.7.3 Local File Rea - CVE-2026-8215
Industrial Application Software IAS Canias ERP RMI iasReques - CVE-2026-42605
AzuraCast: Path Traversal in `currentDirectory` Parameter En - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow
V. Comments for CVE-2026-41691
No comments yet