CVE-2026-41691: Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internat
Summary
i18nextify is a JavaScript library that enables website internationalization (support for multiple languages) through a simple script tag. Versions before 3.0.5 have a URL-injection vulnerability (where attackers can manipulate URLs by injecting special characters) because the library doesn't properly validate language and namespace values before using them in web requests, allowing attackers to exploit this if an application accepts user input for language selection.
Solution / Mitigation
This issue has been fixed in version 3.0.5. If users cannot upgrade immediately, they can work around the issue by sanitising lng / ns before they reach i18next by stripping .., /, \, ?, #, %, whitespace, and control characters; and capping the length.
Vulnerability Details
6.5(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
network
low
none
none
May 7, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41691
First tracked: May 7, 2026 at 08:08 PM
Classified by LLM (prompt v3) · confidence: 70%