CVE-2026-41693 is a high-severity path traversal vulnerability in i18next-fs-backend (npm), affecting versions < 2.6.4. It is fixed in 2.6.4.
Summary Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled input (?lng= query parameter, cookie, request header), a crafted value can break out of the intended locale directory. Affected call sites in lib/index.js: read (line 38 pre-patch): const filename = interpolate(loadPath, { lng: language, ns: namespace }) removeFile (line 101 pre-patch): same pattern against addPath writeFile (line 127 pre-patch): same pattern against addPath for queued missing-key writes The helper interpolate in lib/utils.js substitutes raw values with no encoding, unlike the addQueryString helper in i18next-http-backend, there is no equivalent safety for path interpolation. Impact Arbitrary file read. With a loadPath like /locales/{{lng}}/{{ns}}.json, an attacker-controlled lng = '../../etc' (and matching ns) causes the backend to read a file outside the locale directory. For parsers that tolerate arbitrary content (YAML's freeform text), the file contents surface as a translation resource. Arbitrary file overwrite. addPath is interpolated the same way for missing-key writes (the create() code path and the debounced writer in writeFile). A traversing lng/ns combination can cause the process to write JSON structures to an unintended filesystem location, potentially overwriting application files if the process user has write access. Chain with .js/.ts eval. i18next-fs-backend supports loading .js and .ts locale files by eval-ing their content (intentional feature, documented as requiring trusted sources). Combining traversal with that path, for example lng = '../../../app/config' against loadPath: '/locales/{{lng}}/{{ns}}.js', would cause the backend to execute a server-side file as JavaScript, exfiltrating whatever it can touch (process.env, connected services). Exploitation requires the application to pass an untrusted lng/ns value through to i18next.t() without its own validation. Many i18next setups do exactly this via i18next-browser-languagedetector (query string / cookie detection). Affected versions All versions of i18next-fs-backend prior to 2.6.4. Patch Fixed in 2.6.4. lib/utils.js now exports: isSafePathSegment(v), returns true only if v is a non-empty string of ≤ 128 chars that does not contain .., /, \, control characters, or a prototype key (proto, constructor, prototype). Legitimate i18next language-code shapes (BCP-47, en_US, zh-Hant-HK, pirate-speak, my-custom.ns, +-joined multi-language values) all pass. interpolatePath(template, data), substitutes variables like the existing interpolate but refuses the whole result if any segment fails isSafePathSegment. Callers bail out with an error (read) or silently drop the queued write (writeFile, removeFile). The .js / .ts eval behaviour is intentionally retained, dynamic expressions in locale files are a documented feature of this backend, and safe replacements like dynamic import() are async-only and incompatible with this backend's sync-capable code path. The README has a new "Security considerations" section that spells out the trust model: .js/.ts locale files must be treated as code. Workarounds No workaround short of upgrading. If you cannot upgrade immediately, sanitise lng / ns at your application boundary before passing them to i18next, reject values containing .., /, \, control characters, and cap the length. Credits Discovered via an internal security audit of the i18next ecosystem.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-41693 has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.6.4). Upgrading removes the vulnerable code path.
npm
i18next-fs-backend (< 2.6.4)i18next-fs-backend → 2.6.4 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-41693 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-41693 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-41693 in your environment →Upgrade i18next-fs-backend to 2.6.4 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-41693 is a high-severity path traversal vulnerability in i18next-fs-backend (npm), affecting versions < 2.6.4. It is fixed in 2.6.4. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
CVE-2026-41693 has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
i18next-fs-backend (npm) versions < 2.6.4 is affected.
Yes. CVE-2026-41693 is fixed in 2.6.4. Upgrade to this version or later.
Whether CVE-2026-41693 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade i18next-fs-backend to 2.6.4 or later.