CVE-2026-41693: i18next-fs-backend Path Traversal Exposes Servers

/HIGH /CVSS 8.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-22cwe-73
CVE-2026-41693: i18next-fs-backend Path Traversal Exposes Servers

The National Vulnerability Database has disclosed CVE-2026-41693, a high-severity path traversal vulnerability (CVSS 8.2) impacting i18next-fs-backend versions prior to 2.6.4. This Node.js and Deno library, used for loading translations from the filesystem, directly substitutes lng (language) and ns (namespace) options into file paths without proper encoding or validation. Attackers can exploit this by crafting malicious lng or ns values, such as ../../../../etc/passwd, to read or overwrite arbitrary files outside the intended locale directory.

This vulnerability is particularly dangerous when lng or ns values are derived from untrusted user input, a common scenario in web applications. Frameworks utilizing i18next-http-middleware, or any system allowing end-users to specify language via query strings, cookies, or headers, are at significant risk. A single crafted HTTP request can expose sensitive system files, leading to information disclosure or potential remote code execution if file overwrites are leveraged strategically.

Defenders must prioritize patching i18next-fs-backend to version 2.6.4 immediately. Beyond patching, review application architecture to ensure all user-supplied input used in file path construction is rigorously validated and sanitized. This isn’t just about i18next; it’s a stark reminder that trusting user input in filesystem operations is a critical security flaw.

What This Means For You

  • If your Node.js or Deno applications use `i18next-fs-backend`, check your version immediately. Patch to 2.6.4 or later. This is a critical path traversal that allows attackers to read or overwrite arbitrary files, potentially leading to full system compromise. Don't assume your framework handles input validation for you; verify it.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1082 System Information Discovery Discovery T1552.001 Credentials In Files Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-41693: i18next-fs-backend Path Traversal Attempt

Sigma YAML — free preview 
title: CVE-2026-41693: i18next-fs-backend Path Traversal Attempt
id: scw-2026-05-08-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-41693 by looking for path traversal sequences within the query string of web requests. This indicates an attacker is trying to manipulate the 'lng' or 'ns' parameters of i18next-fs-backend to read or write files outside the intended directory.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41693/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - '..%2f'
          - '%2e%2e%2f'
          - '../'
          - '%2e%2e/'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41693 Path Traversal i18next-fs-backend versions prior to 2.6.4
CVE-2026-41693 Path Traversal Vulnerable component: i18next-fs-backend, due to unencoded and unvalidated interpolation of 'lng' and 'ns' options into loadPath/addPath templates.
CVE-2026-41693 Information Disclosure Attack vector: Crafted 'lng' or 'ns' value (e.g., ?lng=../../../../etc/passwd) to read files outside intended directory.
CVE-2026-41693 Code Injection Attack vector: Crafted 'lng' or 'ns' value to overwrite files outside intended directory.

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma