Skip to main content

i18nextify CVE-2026-41692

| EUVDEUVD-2026-28440 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 GitHub_M
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
May 07, 2026 - 22:02 EUVD
Source Code Evidence Fetched
May 07, 2026 - 21:00 vuln.today
Analysis Generated
May 07, 2026 - 21:00 vuln.today
CVE Published
May 07, 2026 - 20:01 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/localize.js (the replaceInside handler) only guards against a duplicated http:// origin prefix - it does not validate the URL scheme of the substituted value. A translated value such as javascript:alert(1) or data:text/html,<script>...</script> is applied unchanged to the live DOM attribute when an attacker can influence the content of a translation file or the translation-backend response - for example, via a compromised translation CDN, user-contributed locales, a MITM on a plain-HTTP backend, or write access to the translation JSON. This issue was patched in version 4.0.8.

AnalysisAI

DOM-based cross-site scripting (XSS) in i18nextify versions prior to 4.0.8 allows remote attackers to execute arbitrary JavaScript by injecting malicious URL schemes (javascript:, data:, vbscript:, file:) into translated href and src attribute values. An attacker who can compromise the translation backend, CDN, or intercept unencrypted traffic can inject payloads that execute with the origin's privileges when users interact with the affected links or embedded content. The vulnerability requires user interaction (clicking a link or loading a page with a malicious src) but affects any website using i18nextify with untrusted translation sources.

Technical ContextAI

i18nextify is a JavaScript internationalization library that injects translations into live DOM by replacing {{key}} interpolation tokens in element attributes and text content. The library intentionally renders HTML from translation strings to support formatting tags like <b>, <em>, and <a href>. The vulnerability exists in src/localize.js in the replaceInside handler (around line 122), which substitutes translated values into href and src attributes without validating the URL scheme. The code only checked for duplicated http:// prefixes but did not block dangerous schemes like javascript:, data:, vbscript:, or file:. These schemes are evaluated by the browser when applied to live DOM attributes: javascript: URIs are executed when clicked, data: URIs load inline content (including HTML/script) in the page's origin, vbscript: executes on legacy Internet Explorer, and file: accesses local resources. The root cause is improper input validation on substituted attribute values (CWE-79: Improper Neutralization of Input During Web Page Generation).

RemediationAI

Upgrade i18nextify to version 4.0.8 or later immediately. The patch blocks javascript:, data:, vbscript:, and file: URL schemes (case-insensitive, ignoring leading whitespace) when substituted into href and src attributes. Additionally, version 4.0.8 introduces an optional sanitize(html, ctx) hook that developers can configure to wire external sanitizers (e.g., DOMPurify) for additional protection on translated HTML bodies; this is recommended for applications with partially trusted translation sources (user-contributed locales, third-party CDNs). The advisory also fixes two related issues: the debug= and saveMissing= URL parameter detection now uses URLSearchParams for exact matching instead of substring matching, preventing parameter confusion attacks. For applications unable to immediately upgrade, compensating controls include serving the translation backend over HTTPS only (preventing MITM interception), restricting write access to translation JSON files, implementing a Content Security Policy that disallows data: and javascript: scheme execution, and avoiding user-contributed translations in the live backend without explicit sanitization. Note that CSP mitigation has trade-offs: restricting inline scripts may break legitimate i18nextify functionality depending on how translations are structured.

Share

CVE-2026-41692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy