{"api_version":"1","generated_at":"2026-05-12T23:15:51+00:00","cve":"CVE-2026-42353","urls":{"html":"https://cve.report/CVE-2026-42353","api":"https://cve.report/api/cve/CVE-2026-42353.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-42353","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-42353"},"summary":{"title":"Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters","description":"i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-05-08 16:16:12","updated_at":"2026-05-12 15:29:40"},"problem_types":["CWE-22","CWE-918","CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-918 CWE-918: Server-Side Request Forgery (SSRF)"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m","name":"https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-42353","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42353","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"i18next","product":"i18next-http-middleware","version":"affected < 3.9.3","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"42353","cve":"CVE-2026-42353","epss":"0.000520000","percentile":"0.161900000","score_date":"2026-05-11","updated_at":"2026-05-12 00:01:17"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-42353","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-08T23:29:51.253615Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-08T23:30:15.045Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"i18next-http-middleware","vendor":"i18next","versions":[{"status":"affected","version":"< 3.9.3"}]}],"descriptions":[{"lang":"en","value":"i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-918","description":"CWE-918: Server-Side Request Forgery (SSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-08T15:29:55.900Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m","tags":["x_refsource_CONFIRM"],"url":"https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m"}],"source":{"advisory":"GHSA-jfgf-83c5-2c4m","discovery":"UNKNOWN"},"title":"Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-42353","datePublished":"2026-05-08T15:29:55.900Z","dateReserved":"2026-04-26T13:26:14.515Z","dateUpdated":"2026-05-08T23:30:15.045Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 16:16:12","lastModifiedDate":"2026-05-12 15:29:40","problem_types":["CWE-22","CWE-918","CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-918 CWE-918: Server-Side Request Forgery (SSRF)"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"42353","Ordinal":"1","Title":"Path traversal / SSRF in i18next-http-middleware via user-contro","CVE":"CVE-2026-42353","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"42353","Ordinal":"1","NoteData":"i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.","Type":"Description","Title":"Path traversal / SSRF in i18next-http-middleware via user-contro"}]}}}