What is CVE-2026-41690?

CVE-2026-41690 is a high-severity vulnerability in I18next I18next-http-middleware, classified under Path Traversal. CVSS score: 8.6/10. Published 2026-05-08.

How severe is CVE-2026-41690?

High severity. CVSS v3 base score is 8.6 out of 10.

Path Traversal in I18next I18next-http-middleware

CVE-2026-41690

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hostin…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (27.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L.

Affected products

I18next I18next-http-middleware — versions < 3.9.3

Weakness classification (CWE)

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-41690?: CVE-2026-41690 is a high-severity vulnerability in I18next I18next-http-middleware, classified under Path Traversal. CVSS score: 8.6/10. Published 2026-05-08.
How severe is CVE-2026-41690?: High severity. CVSS v3 base score is 8.6 out of 10.