Vulnerability intelligence

CVE-2026-48713

Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "proto.polluted" was split into ["proto", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks.

CVSS Score

9.1

Critical

EPSS — Exploit Probability

0.4%

Riskier than 30% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

Patch available

Vendor fix published

NVD entry Vendor patch PoC / advisory

1 article across 1 outlet · first covered Jun 18, 2026 · latest Jun 18, 2026

Coverage timeline

CVE-2026-48713 flaw in i18next lets attackers inject code
securityonline.info · Jun 18, 2026