URL Injection Vulnerability in i18next Library by i18next
CVE-2026-41691

6.5MEDIUM

Key Information:

Vendor: I18next
Status: I18next-http-backend
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41691?

The i18next library, a popular tool for website internationalization, is prone to a URL injection vulnerability in versions before 3.0.5. This vulnerability arises because the library interpolates user-provided language and namespace values directly into its URL templates without proper encoding or validation. Consequently, attackers can manipulate query parameters, cookies, or other inputs to influence the structure of the outgoing request URL. This introduces risks of both path traversal and broader URL structure manipulation. While users are encouraged to upgrade to version 3.0.5, those unable to do so immediately should implement sanitization measures, such as removing potentially harmful characters and limiting input length, to mitigate risks until an upgrade can be performed.

Affected Version(s)

i18next-http-backend < 3.0.5

References

https://github.com/i18next/i18next-http-backend/security/...

x_refsource_CONFIRM

https://github.com/i18next/i18next-http-backend/commit/4c...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41691 Data

JSON

I18next

What is CVE-2026-41691?

Affected Version(s)

References

CVSS V3.1

Timeline