CVE-2026-41692
Analyzed Analyzed - Analysis Complete
XSS via Unsafe URL Substitution in i18nextify

Publication date: 2026-05-07

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/localize.js (the replaceInside handler) only guards against a duplicated http:// origin prefix β€” it does not validate the URL scheme of the substituted value. A translated value such as javascript:alert(1) or data:text/html,<script>...</script> is applied unchanged to the live DOM attribute when an attacker can influence the content of a translation file or the translation-backend response β€” for example, via a compromised translation CDN, user-contributed locales, a MITM on a plain-HTTP backend, or write access to the translation JSON. This issue was patched in version 4.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41692
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
i18next i18nextify to 4.0.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the i18nextify JavaScript library versions prior to 4.0.8. This library adds website internationalization by substituting {{key}} interpolation tokens inside src and href attribute values with translated strings. However, the substitution logic only prevents duplicated http:// prefixes and does not validate the URL scheme of the substituted value.

As a result, an attacker who can influence the translation contentβ€”such as through a compromised translation CDN, user-contributed locales, a man-in-the-middle attack on an unencrypted backend, or write access to the translation JSONβ€”can inject malicious URL schemes like javascript: or data: into these attributes. This causes the malicious code to be applied directly to the live DOM, potentially leading to cross-site scripting (XSS) attacks.

This issue was fixed in version 4.0.8 of i18nextify.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks by allowing attackers to inject malicious scripts into the src or href attributes of a website using the i18nextify library. If exploited, it can result in unauthorized script execution in users' browsers.

  • Compromise of user data through theft of cookies or session tokens.
  • Execution of arbitrary malicious code in the context of the affected website.
  • Potential redirection to malicious websites or phishing pages.
  • Loss of user trust and damage to the website's reputation.
Mitigation Strategies

To mitigate this vulnerability, upgrade the i18nextify library to version 4.0.8 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41692. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart