EXECUTIVE SUMMARY:
CVE-2026-41683 with a CVSS score of 8.6 is a vulnerability in the i18next-http-middleware, an HTTP middleware for i18next, affecting versions prior to 3.9.3. The issue arises from unsanitized Content-Language header values, which are written to the HTTP response header without proper sanitization, allowing an attacker to inject user-controlled language values that contain CRLF sequences. When an older version of i18next is used, a malicious request can inject arbitrary HTTP response headers, enabling session fixation, cache poisoning, and reflected XSS in controlled response bodies. In Node.js versions prior to 14.6.0, this can lead to HTTP response splitting, while in versions 14.6.0 and later, it results in a denial-of-service due to an unhandled exception. Exploiting this vulnerability, an attacker gains the capability to inject arbitrary HTTP response headers, resulting in a business impact of compromised data integrity and confidentiality, as well as potential loss of impacted component availability. Prerequisites or conditions required for exploitation include an attacker-controlled language value containing CRLF sequences and an older version of i18next.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-41683 with a CVSS score of 8.6 is a vulnerability in the i18next-http-middleware, an HTTP middleware for i18next, affecting versions prior to 3.9.3. The issue arises from unsanitized Content-Language header values, which are written to the HTTP response header without proper sanitization, allowing an attacker to inject user-controlled language values that contain CRLF sequences. When an older version of i18next is used, a malicious request can inject arbitrary HTTP response headers, enabling session fixation, cache poisoning, and reflected XSS in controlled response bodies. In Node.js versions prior to 14.6.0, this can lead to HTTP response splitting, while in versions 14.6.0 and later, it results in a denial-of-service due to an unhandled exception. Exploiting this vulnerability, an attacker gains the capability to inject arbitrary HTTP response headers, resulting in a business impact of compromised data integrity and confidentiality, as well as potential loss of impacted component availability. Prerequisites or conditions required for exploitation include an attacker-controlled language value containing CRLF sequences and an older version of i18next.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-c3h8-g69v-pjrg