CVE-2026-41692

Published: May 7, 2026

Modified: May 11, 2026

PUBLISHED

CVSS v3.1

4.7

MEDIUM

Description

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/localize.js (the replaceInside handler) only guards against a duplicated http:// origin prefix — it does not validate the URL scheme of the substituted value. A translated value such as javascript:alert(1) or data:text/html,<script>...</script> is applied unchanged to the live DOM attribute when an attacker can influence the content of a translation file or the translation-backend response — for example, via a compromised translation CDN, user-contributed locales, a MITM on a plain-HTTP backend, or write access to the translation JSON. This issue was patched in version 4.0.8.

Vendor	Product	Versions
i18next	i18nextify	affected `< 4.0.8`

Weaknesses (CWE)

CWE-79

CWE-94

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/i18next/i18nextify/security/advisories/GHSA-6457-mxpq-4fqq

x_refsource_CONFIRM

https://github.com/i18next/i18nextify/commit/16f23dbcdcf893673587f7a03355bf7ce0a0e49e

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-41692

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References