What is the CVSS score of EUVD-2026-28792?

EUVD-2026-28792 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of i18next-http-middleware are affected by EUVD-2026-28792?

i18next-http-middleware versions prior to 3.9.3 contain a prototype pollution vulnerability allowing unauthenticated attackers to inject arbitrary properties into JavaScript objects, potentially…. A patch is available.

i18next-http-middleware EUVD-2026-28792

| CVE-2026-41690 HIGH

Path Traversal (CWE-22)

2026-05-08 GitHub_M

Path Traversal Node.js

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

Lifecycle Timeline

Patch available

May 08, 2026 - 17:02 EUVD

Source Code Evidence Fetched

May 08, 2026 - 16:30 vuln.today

Analysis Generated

May 08, 2026 - 16:30 vuln.today

CVE Published

May 08, 2026 - 15:24 nvd

HIGH 8.6

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on i18next-http-middleware (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.9.3.

DescriptionNVD

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.

AnalysisAI

Object.prototype pollution in i18next-http-middleware prior to 3.9.3 allows remote unauthenticated attackers to inject arbitrary properties into all JavaScript objects via crafted HTTP requests, bypassing authorization checks, causing type-confusion denial of service, or enabling remote code execution when chained with vulnerable downstream code. The vulnerability is actively exploitable through two unprotected API endpoints (getResourcesHandler and missingKeyHandler) that accept user-controlled language and namespace parameters without validation. …

RemediationAI

Within 24 hours: Identify all applications using i18next-http-middleware and document current versions via dependency manifests (package.json, package-lock.json, or yarn.lock). Within 7 days: Implement network-level access restrictions to getResourcesHandler and missingKeyHandler endpoints; restrict access to trusted internal systems only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-28792 vulnerability details – vuln.today

Back