CVE-2026-41691
URL Injection in i18nextify JavaScript Library
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| i18nextify | i18nextify | 3.0.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in i18nextify allows an attacker to inject malicious characters into URL paths due to lack of encoding, validation, or sanitisation of user-controlled input. This can lead to URL-injection attacks including path traversal and URL-structure manipulation.
Such vulnerabilities can potentially expose sensitive data or allow unauthorized access, which may impact compliance with standards like GDPR and HIPAA that require protection of personal and sensitive information.
However, the provided information does not explicitly describe the direct impact on compliance with these regulations.
Can you explain this vulnerability to me?
The vulnerability exists in the i18nextify JavaScript library versions prior to 3.0.5. This library adds website internationalization via a script tag without requiring source code changes. The issue arises because the library interpolates the language (lng) and namespace (ns) values directly into the URL templates (loadPath / addPath) without any encoding, validation, or path sanitisation.
Since the language code selection can be controlled by user input (for example, through query parameters, cookies, localStorage, or request headers), an attacker can inject malicious characters that alter the structure of the outgoing request URL. This leads to a URL-injection vulnerability that can enable path traversal or other URL structure manipulations.
The vulnerability was fixed in version 3.0.5 by adding proper sanitisation of the interpolated URL values. Until users upgrade, they can mitigate the issue by sanitising the lng and ns inputs themselves, removing dangerous characters like .., /, \, ?, #, %, whitespace, and control characters, and limiting the length of these inputs.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to manipulate the URL structure used by the i18nextify library, potentially leading to path traversal or other URL injection attacks.
Such manipulation could enable attackers to access unintended resources or cause the application to behave unexpectedly by fetching or loading malicious or unauthorized content.
The CVSS score of 6.5 indicates a medium severity impact, with potential confidentiality and integrity impacts but no impact on availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the i18nextify library to version 3.0.5 or later, where the interpolateUrl sanitisation fix is implemented.
If upgrading immediately is not possible, sanitize the lng and ns values before they reach i18next by stripping characters such as .., /, \, ?, #, %, whitespace, and control characters, and limit the length of these inputs.