CVE-2026-42353HIGH 8.2EPSS p30.3%

CVE-2026-42353CVE-2026-42353

Description

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.39% probability of exploitation · percentile 30.3% · 2026-06-21T12:00:28Z
Published2026-05-08
Last modified2026-05-12

Underlying weaknesses· 2

CWE-22CWE-918

References

  1. https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41683
CVE
CVE-2026-41693
CVE
CVE-2026-41690
CVE
CVE-2025-57822
CVE
CVE-2025-29927
CVE
CVE-2026-44574
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.