CVE-2026-41693: CWE-73: External Control of File Name or Path in i18next i18next-fs-backend
CVE-2026-41693 is a high-severity vulnerability in i18next-fs-backend versions prior to 2. 6. 4. The issue arises because the lng and ns options are directly substituted into file path templates without encoding or validation. This allows an attacker who can control these values to perform directory traversal, potentially reading or overwriting files outside the intended locale directory. The vulnerability affects applications that derive these parameters from untrusted input, such as HTTP requests. The vulnerability has been patched in version 2. 6. 4.
AI Analysis
Technical Summary
i18next-fs-backend, a Node.js and Deno backend for loading translations from the filesystem, prior to version 2.6.4, improperly handles the lng and ns parameters by directly interpolating them into file path templates without validation or encoding. This allows an attacker who can influence these parameters—commonly derived from user input in HTTP requests—to craft values containing directory traversal sequences (e.g., ../../) or other malicious characters to read or overwrite arbitrary files outside the intended directory. This is a classic external control of file name or path vulnerability (CWE-73) combined with directory traversal (CWE-22). The issue is fixed in version 2.6.4.
Potential Impact
An attacker able to control the lng or ns parameters can exploit this vulnerability to read sensitive files or overwrite files on the server filesystem outside the intended translation directories. This can lead to information disclosure (e.g., reading /etc/passwd) or limited integrity impact by overwriting files. The CVSS 3.1 base score is 8.2, reflecting high impact on confidentiality and some impact on integrity, with no impact on availability. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade i18next-fs-backend to version 2.6.4 or later, where this vulnerability is patched. Until upgraded, avoid using untrusted input to set the lng or ns options or implement strict validation and sanitization to prevent directory traversal sequences and other malicious input. Since this is a code-level vulnerability, patching is the primary and recommended remediation.
CVE-2026-41693: CWE-73: External Control of File Name or Path in i18next i18next-fs-backend
Description
CVE-2026-41693 is a high-severity vulnerability in i18next-fs-backend versions prior to 2. 6. 4. The issue arises because the lng and ns options are directly substituted into file path templates without encoding or validation. This allows an attacker who can control these values to perform directory traversal, potentially reading or overwriting files outside the intended locale directory. The vulnerability affects applications that derive these parameters from untrusted input, such as HTTP requests. The vulnerability has been patched in version 2. 6. 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
i18next-fs-backend, a Node.js and Deno backend for loading translations from the filesystem, prior to version 2.6.4, improperly handles the lng and ns parameters by directly interpolating them into file path templates without validation or encoding. This allows an attacker who can influence these parameters—commonly derived from user input in HTTP requests—to craft values containing directory traversal sequences (e.g., ../../) or other malicious characters to read or overwrite arbitrary files outside the intended directory. This is a classic external control of file name or path vulnerability (CWE-73) combined with directory traversal (CWE-22). The issue is fixed in version 2.6.4.
Potential Impact
An attacker able to control the lng or ns parameters can exploit this vulnerability to read sensitive files or overwrite files on the server filesystem outside the intended translation directories. This can lead to information disclosure (e.g., reading /etc/passwd) or limited integrity impact by overwriting files. The CVSS 3.1 base score is 8.2, reflecting high impact on confidentiality and some impact on integrity, with no impact on availability. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade i18next-fs-backend to version 2.6.4 or later, where this vulnerability is patched. Until upgraded, avoid using untrusted input to set the lng or ns options or implement strict validation and sanitization to prevent directory traversal sequences and other malicious input. Since this is a code-level vulnerability, patching is the primary and recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T03:53:24.407Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe067ecbff5d8610f67297
Added to database: 5/8/2026, 3:51:26 PM
Last enriched: 5/8/2026, 4:06:51 PM
Last updated: 5/8/2026, 9:56:35 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.