cbcvebase.
CVE-2026-42353
published 2026-05-08

CVE-2026-42353: i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3…

PriorityP348high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.39%
30.5th percentile
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.

Affected

1 ranges
VendorProductVersion rangeFixed in
i18nexti18next-http-middleware< 3.9.33.9.3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.