Path Traversal and SSRF Vulnerability in i18next-http-middleware for Node.js
CVE-2026-42353

8.2HIGH

Key Information:

Vendor: I18next
Status: I18next-http-middleware
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42353?

The i18next-http-middleware, utilized in Node.js frameworks like Express and Fastify, contains a vulnerability that allows user-supplied lng and ns parameters to be passed directly into the backend loading process without appropriate sanitization. This flaw can facilitate path traversal or Server-Side Request Forgery (SSRF) attacks, depending on the backend configuration. Users are advised to upgrade to version 3.9.3 where this issue has been resolved.

Affected Version(s)

i18next-http-middleware < 3.9.3

References

https://github.com/i18next/i18next-http-middleware/securi...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42353 Data

JSON

I18next

What is CVE-2026-42353?

Affected Version(s)

References

CVSS V3.1

Timeline