CVE-2026-41683 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: May 8, 2026
i18next-http-middleware - CRLF Injection
Published: May 8, 2026Updated: May 8, 2026Remote Exploitable
Overview
i18next-http-middleware < 3.9.3 contains a CRLF injection caused by improper sanitization of user-controlled language values in the Content-Language header, letting attackers inject carriage return and line feed characters, exploit requires use of older i18next versions producing raw language values.
Severity & Score
Severity: High
CVSS Score: 8.6
Impact
Attackers can inject HTTP headers or manipulate responses, potentially enabling HTTP response splitting or web cache poisoning.
Mitigation
Update to version 3.9.3 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-41683
- Severity
- High
- CVSS Score
- 8.6
- Type
- crlf_injection
- Status
- new
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L