CVE-2026-41692

Name of the Vulnerable Software and Affected Versions i18nextify versions prior to 4.0.8

Description The software substitutes {{key}} interpolation tokens within src and href attribute values using the raw string from i18next.t(). The substitution logic in the replaceInside handler within src/localize.js fails to validate the URL scheme of the substituted value, only checking for duplicated http:// origin prefixes. This allows an attacker who can influence translation files or backend responses—such as through a compromised CDN, user-contributed locales, or MITM attacks on plain-HTTP backends—to inject malicious URIs like javascript:, data:, vbscript:, or file:. This can lead to arbitrary JavaScript execution when a user clicks a link or when a script payload runs in the page's origin via <iframe>, <object>, or <embed> tags.

Recommendations Update to version 4.0.8. As a temporary mitigation, audit all translation files for javascript:, data:, vbscript:, and file: prefixes in values used in href or src attributes and restrict write access to these files to trusted operators.