CVE-2026-41683
published 2026-05-08CVE-2026-41683: i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3…
PriorityP352high8.6CVSS 3.1
AVNACLPRNUINSUCLIHAL
EPSS
0.33%
24.5th percentile
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim. This issue has been patched in version 3.9.3.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| i18next | i18next-http-middleware | < 3.9.3 | 3.9.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
i18next i18next-http-middleware up to 3.9.2 Response Header utils.escape lng cross site scripting (GHSA-c3h8-g69v-pjrg)
vuldb·2026-05-08·CVSS 8.6
CVE-2026-41683 [HIGH] i18next i18next-http-middleware up to 3.9.2 Response Header utils.escape lng cross site scripting (GHSA-c3h8-g69v-pjrg)
A vulnerability was found in i18next i18next-http-middleware up to 3.9.2. It has been classified as problematic. Affected by this issue is the function utils.escape of the component Response Header Handler. The manipulation of the argument lng leads to cross site scripting.
This vulnerability is uniquely identified as CVE-2026-41683. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is recommended.
GHSA
i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters
ghsa·2026-04-29
CVE-2026-42353 [HIGH] CWE-22 i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters
i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters
### Summary
Versions of `i18next-http-middleware` prior to 3.9.3 pass the user-controlled `lng` and `ns` values from `getResourcesHandler` directly into `i18next.services.backendConnector.load(languages, namespaces, …)` without any sanitisation. Depending on which backend is configured, the unvalidated path segments enable one of two attacks:
- **Filesystem path traversal** when the middleware is paired with `i18next-fs-backend` (or any backend that interpolates `lng` / `ns` into a filesystem path).
- **Server-Side Request Forgery (SSRF)** when the middleware is paired with `i18next-http-backend` (or any backend that interpolates into an HTTP URL).
Example request:
```
GET /locales/
GHSA
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header
ghsa·2026-04-22
CVE-2026-41683 [HIGH] CWE-113 i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header
### Summary
Versions of `i18next-http-middleware` prior to 3.9.3 wrote user-controlled language values into the `Content-Language` response header after passing them through `utils.escape()`, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older `i18next` (/i` only matched event handlers in the **first** attribute position, so payloads like `` bypassed the filter. Applications that rendered `res.locals.language` into HTML with a context-unsafe templating mode (EJS ``, Pug `!{…}`, Handlebars `{{{…}}}`) could be XSSed despite the filter being in place. This bypass is noted here because it is fixed in the s
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-08
Published