CVE-2026-41683: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in i18next i18next-http-middleware
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim. This issue has been patched in version 3.9.3.
AI Analysis
Technical Summary
The vulnerability in i18next-http-middleware (before 3.9.3) involves improper neutralization of input during web page generation, specifically in how user-controlled language parameters are handled. The middleware uses utils.escape(), an HTML-entity encoder that fails to strip CRLF or other control characters. When combined with older i18next versions (< 19.5.0) that produce raw language detection values, CRLF injection can occur in the Content-Language HTTP header. This can lead to cross-site scripting (CWE-79) and HTTP response splitting (CWE-113) attacks. The issue is fixed in i18next-http-middleware version 3.9.3.
Potential Impact
An attacker can exploit this vulnerability to inject malicious scripts via the Content-Language HTTP header by supplying crafted language parameters, potentially leading to cross-site scripting attacks. The CVSS score of 8.6 indicates high impact with low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects confidentiality, integrity, and availability to varying degrees (confidentiality low, integrity high, availability low).
Mitigation Recommendations
This vulnerability is fixed in i18next-http-middleware version 3.9.3. Users should upgrade to version 3.9.3 or later to remediate this issue. No official remediation level is provided beyond this patch. Patch status is confirmed by the vendor advisory stating the fix is included in version 3.9.3. If upgrading is not immediately possible, carefully validate and sanitize user-controlled language inputs to prevent injection of CRLF sequences, though this is a temporary measure.
CVE-2026-41683: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in i18next i18next-http-middleware
Description
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim. This issue has been patched in version 3.9.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in i18next-http-middleware (before 3.9.3) involves improper neutralization of input during web page generation, specifically in how user-controlled language parameters are handled. The middleware uses utils.escape(), an HTML-entity encoder that fails to strip CRLF or other control characters. When combined with older i18next versions (< 19.5.0) that produce raw language detection values, CRLF injection can occur in the Content-Language HTTP header. This can lead to cross-site scripting (CWE-79) and HTTP response splitting (CWE-113) attacks. The issue is fixed in i18next-http-middleware version 3.9.3.
Potential Impact
An attacker can exploit this vulnerability to inject malicious scripts via the Content-Language HTTP header by supplying crafted language parameters, potentially leading to cross-site scripting attacks. The CVSS score of 8.6 indicates high impact with low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects confidentiality, integrity, and availability to varying degrees (confidentiality low, integrity high, availability low).
Mitigation Recommendations
This vulnerability is fixed in i18next-http-middleware version 3.9.3. Users should upgrade to version 3.9.3 or later to remediate this issue. No official remediation level is provided beyond this patch. Patch status is confirmed by the vendor advisory stating the fix is included in version 3.9.3. If upgrading is not immediately possible, carefully validate and sanitize user-controlled language inputs to prevent injection of CRLF sequences, though this is a temporary measure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T03:53:24.406Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe067ecbff5d8610f67291
Added to database: 5/8/2026, 3:51:26 PM
Last enriched: 5/8/2026, 4:07:10 PM
Last updated: 5/9/2026, 3:49:19 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.