JavaScript Library i18nextify Vulnerability in Internationalization Feature
CVE-2026-41692

4.7MEDIUM

Key Information:

Vendor: I18next
Status: I18nextify
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41692?

The i18nextify library is susceptible to a vulnerability that allows an attacker to inject malicious scripts into the live DOM. This occurs when the library substitutes interpolation tokens within src and href attributes without proper validation of the URL scheme. Attackers can exploit this flaw when they gain influence over the content of translation files or responses from the translation backend, potentially compromising the integrity of the application. The issue arises particularly when traditional web security measures fail, such as with a compromised translation CDN or weak protection on a plain HTTP backend. This vulnerability was addressed and patched in version 4.0.8.

Affected Version(s)

i18nextify < 4.0.8

References

https://github.com/i18next/i18nextify/security/advisories...

x_refsource_CONFIRM

https://github.com/i18next/i18nextify/commit/16f23dbcdcf8...

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41692 Data

JSON

I18next

What is CVE-2026-41692?

Affected Version(s)

References

CVSS V3.1

Timeline