i18next-locize-backend has URL Injection via Unsanitized Path Parameters

Description

Versions of i18next-locize-backend prior to 9.0.2 interpolate lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding.

Recommendation

Update the i18next-locize-backend package to the latest compatible version. Followings are version details:

• Affected version(s): < 9.0.2
• Patched version(s): 9.0.2

References

• GHSA-mgcp-mfp8-3q45
• CVE-2026-41885
• CWE-22
• CWE-74
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - CVE-2026-41691
• Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
• i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters - CVE-2026-42353
• i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters - CVE-2026-41690

You might also like:

How do hackers hack websites?

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

i18next-locize-backend