CVE-2026-41693
Received Received - Intake
Path Traversal in i18next-fs-backend

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value β€” containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string β€” allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41693
EUVD
EUVD-2026-28793
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
i18next fs_backend to 2.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for requests that include suspicious or malicious values for the lng or ns parameters, such as path traversal sequences (e.g., ../../) or unusually long strings.

One way to detect exploitation attempts is to inspect HTTP request logs for query strings, cookies, or headers that set lng or ns to values containing path traversal patterns.

For example, you can use command-line tools like grep to search web server logs for such patterns.

  • grep -E '\?lng=\.\./|\?ns=\.\./' /path/to/access.log
  • grep -E 'lng=\.\./|ns=\.\./' /path/to/access.log

Additionally, monitoring for unexpected file read or write operations outside the intended locale directory on the filesystem may help detect exploitation.

Executive Summary

The vulnerability exists in i18next-fs-backend versions prior to 2.6.4, which is a backend layer for i18next used in Node.js and Deno to load translation files from the filesystem.

The issue arises because the lng (language) and ns (namespace) options are directly substituted into file path templates without encoding or validation.

An attacker who can control these values can craft them to include path traversal sequences (like ".."), path separators, control characters, prototype keys, or very long strings.

This allows the attacker to read or overwrite files outside the intended locale directory by manipulating the file paths used by the backend.

For example, if lng is set to a path like "../../../../etc/passwd", the backend will attempt to read that file, potentially exposing sensitive system files.

This vulnerability has been fixed in version 2.6.4.

Impact Analysis

This vulnerability can allow an attacker to read sensitive files on the server or overwrite files outside the intended translation directories.

If an attacker can influence the lng or ns parameters (for example, via HTTP requests where language is user-controlled), they could access sensitive system files such as password files or configuration files.

This could lead to information disclosure, unauthorized data access, or potentially modifying files leading to further compromise.

Mitigation Strategies

To mitigate this vulnerability, upgrade i18next-fs-backend to version 2.6.4 or later, where the issue has been patched.

Additionally, avoid using untrusted input for the lng and ns options, especially when these values can be influenced by end users via query strings, cookies, or headers.

Compliance Impact

The vulnerability allows attackers to read or overwrite arbitrary files on the filesystem by exploiting unsanitized input used in file path templates. This unauthorized access to sensitive files can lead to exposure or modification of personal or protected data.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized disclosure or alteration.

Therefore, if exploited, this vulnerability could result in violations of data protection requirements, leading to legal and regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41693. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart