Open Redirect in Amannn Next-intl

CVE-2026-40299

next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relativ…

Vulnerability class: Open Redirect

EPSS: 0.001 (18.7th percentile) — read the EPSS interpretation.

Affected products

Amannn Next-intl — versions < 4.9.1

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/amannn/next-intl/security/advisories/GHSA-8f24-v5vv-gm5j (x_refsource_CONFIRM)
https://github.com/amannn/next-intl/pull/2304 (x_refsource_MISC)
https://github.com/amannn/next-intl/commit/1c80b668aa6d853f470319eec10a3f61e78a70e6 (x_refsource_MISC)
https://github.com/amannn/next-intl/releases/tag/v4.9.1 (x_refsource_MISC)