CVE-2026-41683: i18next-http-middleware Header Injection Risk

/HIGH /CVSS 8.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-79cwe-113
CVE-2026-41683: i18next-http-middleware Header Injection Risk

The National Vulnerability Database has detailed CVE-2026-41683, a high-severity vulnerability (CVSS 8.6) in i18next-http-middleware, a Node.js and Deno middleware for web frameworks like Express and Fastify. Prior to version 3.9.3, this middleware was susceptible to CRLF injection in the Content-Language response header. The issue stemmed from utils.escape() failing to strip carriage return and line feed characters from user-controlled language values.

This vulnerability becomes critical when an application uses an older i18next library (pre-19.5.0) that triggers a backward-compatibility fallback. In such cases, raw, attacker-controlled CRLF sequences in the lng parameter could reach res.setHeader('Content-Language', ...), leading to HTTP header injection. This can enable various attacks, including cross-site scripting (CWE-79) and response splitting (CWE-113), allowing attackers to manipulate HTTP responses or inject malicious content into client browsers.

Defenders need to understand the chain of dependencies here. It’s not just about the middleware; it’s about how it interacts with the underlying i18next library. The fix is in i18next-http-middleware version 3.9.3. Organizations must prioritize upgrading to mitigate the risk of header manipulation and subsequent client-side attacks.

What This Means For You

  • If your applications leverage `i18next-http-middleware` in Node.js or Deno environments, you need to verify your version immediately. Specifically, check if you are running anything older than 3.9.3. Patching to `i18next-http-middleware` version 3.9.3 is critical to prevent HTTP header injection, especially if you also have older `i18next` versions in your stack. This is a direct path to client-side attacks that can compromise user sessions and data.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1566.002 Phishing: Spearphishing Link Initial Access T1059.001 Command and Scripting Interpreter: PowerShell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-41683: i18next-http-middleware Language Header Injection

Sigma YAML — free preview 
title: CVE-2026-41683: i18next-http-middleware Language Header Injection
id: scw-2026-05-08-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-41683 by looking for requests containing the 'lng=' parameter in the query string, often used in conjunction with locale paths, which could be manipulated to inject CRLF characters into the Content-Language header.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41683/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - 'lng='
      cs-uri|contains:
          - '/locales/'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41683 Code Injection i18next-http-middleware < 3.9.3
CVE-2026-41683 Code Injection i18next < 19.5.0
CVE-2026-41683 Code Injection Vulnerable component: Content-Language response header via lng parameter
CVE-2026-41683 Code Injection Attack vector: CRLF injection in Content-Language header

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma