CVE-2026-41690HIGH 8.6EPSS p22.6%

CVE-2026-41690CVE-2026-41690

Description

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS0.31% probability of exploitation · percentile 22.6% · 2026-06-18T12:00:27Z
Published2026-05-08
Last modified2026-05-12

Underlying weaknesses· 2

CWE-22CWE-1321

References

  1. https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw

2

TypeTargetConfidenceTier
WeaknessImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')cwe-13210%live
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41683
CVE
CVE-2026-42353
CVE
CVE-2025-29927
CVE
CVE-2026-44574
CVE
CVE-2026-2293
CVE
CVE-2026-44578
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.