i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns

Severity:: Medium

Description

Versions of i18next-http-backend prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation.

Recommendation

Update the i18next-http-backend package to the latest compatible version. Followings are version details:

Affected version(s): < 3.0.5
Patched version(s): 3.0.5

References

GHSA-q89c-q3h5-w34g
CVE-2026-41691
CWE-22
CWE-74
CAPEC-310
OWASP 2021-A1
OWASP 2021-A3
OWASP 2021-A6

Related Issues

i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885
i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters - CVE-2026-42353
i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters - CVE-2026-41690
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()` - CVE-2026-44635

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; i18next-http-backend

Anything's wrong? Let us know Last updated on May 11, 2026