CVE-2026-41693

Name of the Vulnerable Software and Affected Versions i18next-fs-backend versions prior to 2.6.4

Description i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath and addPath templates to read or write files from the disk. Because this interpolation is unencoded and unvalidated, an attacker who can influence these values—such as through query strings, cookies, or headers in request-scoped instances—can use crafted values containing path separators or prototype keys to read or overwrite files outside the intended locale directory. This can lead to arbitrary file read, arbitrary file overwrite, or server-side execution if the backend is configured to load and evaluate .js or .ts files.

Technical details include vulnerable functions read(), removeFile(), and writeFile(), which utilize an interpolate() helper in lib/utils.js that lacks path-component validation.

Recommendations Update to version 2.6.4. As a temporary workaround, sanitize lng and ns at the application boundary by rejecting values that contain .., /, ``, or control characters, and by limiting the maximum string length.