cvedb.io
CVE-2026-41691
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-05-07T21:16:29.560 · Last modified 2026-06-17T10:47:00.717

Summary

Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input (the default — i18next-browser-languagedetector reads ?lng= query params, cookies, localStorage, and request headers), an attacker can inject characters that change the structure of the outgoing request URL. This is a single URL-injection vulnerability. The attacker-controlled value is neutralised before it is used as part of an output URL string; the attack sha

Affected products

i18next — i18next-http-backend

Does this affect you?

Add your gear to cvedb and we'll alert you only when i18next ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.