cvedb.io
CVE-2026-48713
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2026-06-15T22:16:17.397 · Last modified 2026-06-17T16:39:45.360

Summary

Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or

Affected products

i18next — i18next-fs-backend

Does this affect you?

Add your gear to cvedb and we'll alert you only when i18next ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.