A critical vulnerability known as CVE-2026-48713 has been identified in the i18next translation tool, scoring a CVSS of 9.1. This flaw affects the i18next-fs-backend package, which has over one million weekly downloads. The issue arises from how the backend manages missing translation keys, allowing an attacker to exploit it to write arbitrary properties to the global prototype. While not all deployments are affected, those using version 2.6.5 or older with specific configurations are at risk.
A related bug, CVE-2026-48714, further extends the attack surface. The maintainers have released a patch, version 2.6.6, to address this issue, advising users to upgrade or implement temporary mitigations.