Next Intl

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest

CVE-2026-40299 npm MEDIUM PATCH This Month

Open redirect vulnerability in next-intl middleware prior to version 4.9.1 allows remote attackers to craft malicious URLs that bypass path handling validation when `localePrefix: 'as-needed'` is configured, redirecting users to arbitrary hosts via scheme-relative URLs or control characters that the WHATWG URL parser strips. Unauthenticated attackers can exploit this through social engineering (phishing links) to redirect users from trusted application URLs to attacker-controlled domains. Patch available in [email protected].

Open Redirect Next Intl

NVD GitHub

CVSS 4.0

6.9

EPSS

0.0%

CVE-2026-40299 npm

EPSS 0% CVSS 6.9

MEDIUM PATCH This Month

Open redirect vulnerability in next-intl middleware prior to version 4.9.1 allows remote attackers to craft malicious URLs that bypass path handling validation when `localePrefix: 'as-needed'` is configured, redirecting users to arbitrary hosts via scheme-relative URLs or control characters that the WHATWG URL parser strips. Unauthenticated attackers can exploit this through social engineering (phishing links) to redirect users from trusted application URLs to attacker-controlled domains. Patch available in [email protected].

Open Redirect Next Intl

NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy