CVE-2026-42353

Source
https://cve.org/CVERecord?id=CVE-2026-42353
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42353.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42353
Aliases
Published
2026-05-08T15:29:55.900Z
Modified
2026-07-08T08:13:16.491077016Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters
Details

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42353.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22",
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/i18next/i18next-http-middleware

Affected ranges

Type
GIT
Repo
https://github.com/i18next/i18next-http-middleware
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.9.3"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.1.0
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v2.*
v2.0.0
v2.1.0
v2.1.1
v2.1.2
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.2.0
v3.2.1
v3.2.2
v3.3.0
v3.3.1
v3.3.2
v3.4.0
v3.4.1
v3.5.0
v3.6.0
v3.7.0
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.8.0
v3.8.1
v3.8.2
v3.8.3
v3.9.0
v3.9.1
v3.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42353.json"