What is the CVSS score of CVE-2026-41693?

CVE-2026-41693 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of i18next-fs-backend are affected by CVE-2026-41693?

CVE-2026-41693 is a critical path traversal vulnerability in i18next-fs-backend that allows unauthenticated attackers to read sensitive files like /etc/passwd or overwrite application files through…. A patch is available.

i18next-fs-backend CVE-2026-41693

EUVD-2026-28793 HIGH

External Control of File Name or Path (CWE-73)

2026-05-08 GitHub_M

Information Disclosure Node.js

8.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

May 08, 2026 - 17:02 EUVD

Source Code Evidence Fetched

May 08, 2026 - 16:31 vuln.today

Analysis Generated

May 08, 2026 - 16:31 vuln.today

CVE Published

May 08, 2026 - 15:38 nvd

HIGH 8.2

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 npm packages depend on i18next-fs-backend (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.6.4.

DescriptionNVD

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value - containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string - allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4.

AnalysisAI

Path traversal in i18next-fs-backend allows remote unauthenticated attackers to read arbitrary files (including /etc/passwd) or overwrite application files when language/namespace parameters derive from user input. Applications exposing i18next language detection via query strings, cookies, or headers (common with i18next-http-middleware or i18next-browser-languagedetector) are vulnerable to immediate exploitation with zero authentication (CVSS AV:N/AC:L/PR:N/UI:N). …

RemediationAI

Within 24 hours: Identify all applications using i18next-fs-backend by scanning package.json and npm audit output; immediately disable automatic language detection via query parameters and restrict language selection to a hardcoded whitelist. Within 7 days: Upgrade i18next-fs-backend to version 2.6.4 or later across all affected systems; if upgrade is blocked, implement network-level input validation to reject any language parameter containing '../' or path traversal sequences. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41693 vulnerability details – vuln.today

Back

i18next-fs-backend CVE-2026-41693

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code