cbcvebase.

I18Next I18Next-Http-Middleware vulnerabilities

4 known vulnerabilities affecting i18next/i18next-http-middleware.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3

Vulnerabilities

Page 1 of 1
CVE-2026-48714P2CRITICALCVSS 9.1fixed in 3.9.72026-06-15
CVE-2026-48714 [CRITICAL] CWE-1321 CVE-2026-48714: i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fasti i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "__proto__.pol
ghsanvd
CVE-2026-41690P3HIGHCVSS 8.6fixed in 3.9.32026-05-08
CVE-2026-41690 [HIGH] CWE-22 CVE-2026-41690: 18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastif 18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and m
nvd
CVE-2026-41683P3HIGHCVSS 8.6fixed in 3.9.32026-05-08
CVE-2026-41683 [HIGH] CWE-79 CVE-2026-41683: i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fasti i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage
nvd
CVE-2026-42353P3HIGHCVSS 8.2fixed in 3.9.32026-05-08
CVE-2026-42353 [HIGH] CWE-22 CVE-2026-42353: i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fasti i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending
nvd
I18Next I18Next-Http-Middleware vulnerabilities | cvebase