I18Nextify
Monthly
DOM-based cross-site scripting (XSS) in i18nextify versions prior to 4.0.8 allows remote attackers to execute arbitrary JavaScript by injecting malicious URL schemes (javascript:, data:, vbscript:, file:) into translated href and src attribute values. An attacker who can compromise the translation backend, CDN, or intercept unencrypted traffic can inject payloads that execute with the origin's privileges when users interact with the affected links or embedded content. The vulnerability requires user interaction (clicking a link or loading a page with a malicious src) but affects any website using i18nextify with untrusted translation sources.
DOM-based cross-site scripting (XSS) in i18nextify versions prior to 4.0.8 allows remote attackers to execute arbitrary JavaScript by injecting malicious URL schemes (javascript:, data:, vbscript:, file:) into translated href and src attribute values. An attacker who can compromise the translation backend, CDN, or intercept unencrypted traffic can inject payloads that execute with the origin's privileges when users interact with the affected links or embedded content. The vulnerability requires user interaction (clicking a link or loading a page with a malicious src) but affects any website using i18nextify with untrusted translation sources.