Prototype Pollution Vulnerability in i18next-http-middleware for Node.js Frameworks
CVE-2026-48714

9.1CRITICAL

Key Information:

Vendor: I18next
Status: I18next-http-middleware
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-48714?

The i18next-http-middleware prior to version 3.9.7 contains a vulnerability where the missingKeyHandler does not adequately block certain key variants, including 'proto.polluted'. This can result in remote prototype pollution, particularly for applications that expose this handler to untrusted user input and utilize i18next-fs-backend version 2.6.5 or below. Malicious inputs can lead to corrupted translations, configuration poisoning, application crashes, or bypassing security checks. To mitigate this risk, developers should avoid exposing the missingKeyHandler publicly, implement request-body filters to reject dangerous keys, and disable persistence features for untrusted inputs.

Affected Version(s)

i18next-http-middleware < 3.9.7

References

https://github.com/i18next/i18next-http-middleware/securi...

x_refsource_CONFIRM

https://github.com/i18next/i18next-http-middleware/commit...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-48714 Data

JSON

I18next

What is CVE-2026-48714?

Affected Version(s)

References

CVSS V3.1

Timeline