CVE-2026-41691
Analyzed Analyzed - Analysis Complete
URL Injection in i18nextify JavaScript Library

Publication date: 2026-05-07

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input (the default β€” i18next-browser-languagedetector reads ?lng= query params, cookies, localStorage, and request headers), an attacker can inject characters that change the structure of the outgoing request URL. This is a single URL-injection vulnerability. The attacker-controlled value is neutralised before it is used as part of an output URL string; the attack shape covers both path traversal and broader URL-structure injection β€” both are closed by the one interpolateUrl sanitisation fix. This issue has been fixed in version 3.0.5. If users cannot upgrade immediately, they can work around the issue by sanitising lng / ns before they reach i18next (strip .., /, \, ?, #, %, whitespace, and control characters; cap the length).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41691
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
i18next i18next-http-backend to 3.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the i18nextify JavaScript library versions prior to 3.0.5. This library adds website internationalization via a script tag without requiring source code changes. The issue arises because the library interpolates the language (lng) and namespace (ns) values directly into the URL templates (loadPath / addPath) without any encoding, validation, or path sanitisation.

Since the language code selection can be controlled by user input (for example, through query parameters, cookies, localStorage, or request headers), an attacker can inject malicious characters that alter the structure of the outgoing request URL. This leads to a URL-injection vulnerability that can enable path traversal or other URL structure manipulations.

The vulnerability was fixed in version 3.0.5 by adding proper sanitisation of the interpolated URL values. Until users upgrade, they can mitigate the issue by sanitising the lng and ns inputs themselves, removing dangerous characters like .., /, \, ?, #, %, whitespace, and control characters, and limiting the length of these inputs.

Impact Analysis

This vulnerability can allow an attacker to manipulate the URL structure used by the i18nextify library, potentially leading to path traversal or other URL injection attacks.

Such manipulation could enable attackers to access unintended resources or cause the application to behave unexpectedly by fetching or loading malicious or unauthorized content.

The CVSS score of 6.5 indicates a medium severity impact, with potential confidentiality and integrity impacts but no impact on availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade the i18nextify library to version 3.0.5 or later, where the interpolateUrl sanitisation fix is implemented.

If upgrading immediately is not possible, sanitize the lng and ns values before they reach i18next by stripping characters such as .., /, \, ?, #, %, whitespace, and control characters, and limit the length of these inputs.

Compliance Impact

The vulnerability in i18nextify allows an attacker to inject malicious characters into URL paths due to lack of encoding, validation, or sanitisation of user-controlled input. This can lead to URL-injection attacks including path traversal and URL-structure manipulation.

Such vulnerabilities can potentially expose sensitive data or allow unauthorized access, which may impact compliance with standards like GDPR and HIPAA that require protection of personal and sensitive information.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart