i18next is a language translation framework. Because of how the interpolation is implemented, making replacements from the dictionary one at a time, untrusted user input can use the name of one of the dictionary keys to inject script into the browser. This affects i18next <=1.10.2.
{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:i18next:i18next:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "1.10.2"
}
]
}