CVE-2026-42353

Published: May 8, 2026

Modified: May 8, 2026

PUBLISHED

CVSS v3.1

8.2

HIGH

Description

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.

Vendor	Product	Versions
i18next	i18next-http-middleware	affected `< 3.9.3`

Weaknesses (CWE)

CWE-22

CWE-918

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

References

https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-42353

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References