{"id":"CVE-2026-41683","summary":"HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header","details":"i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (\u003c 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim. This issue has been patched in version 3.9.3.","aliases":["GHSA-c3h8-g69v-pjrg"],"modified":"2026-07-08T08:05:12.193191246Z","published":"2026-05-08T15:27:05.036Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41683.json","cwe_ids":["CWE-113","CWE-79"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41683.json"},{"type":"ADVISORY","url":"https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41683"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/i18next/i18next-http-middleware","events":[{"introduced":"0"},{"fixed":"c6624343818c63e9877ba98125f7451580eae618"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.9.3"}],"source":"AFFECTED_FIELD"}}],"versions":["v3.9.2","v3.9.1","v3.9.0","v3.8.3","v3.8.2","v3.8.1","v3.8.0","v3.7.4","v3.7.3","v3.7.2","v3.7.1","v3.7.0","v3.6.0","v3.5.0","v3.4.1","v3.4.0","v3.3.2","v3.3.1","v3.3.0","v3.2.2","v3.2.1","v3.2.0","v3.1.6","v3.1.5","v3.1.4","v3.1.3","v3.1.2","v3.1.1","v3.1.0","v3.0.6","v3.0.5","v3.0.4","v3.0.3","v3.0.2","v3.0.1","v3.0.0","v2.1.2","v2.1.1","v2.1.0","v2.0.0","v1.3.1","v1.3.0","v1.2.1","v1.2.0","v1.1.0","v1.0.7","v1.0.6","v1.0.5","v1.0.4","v1.0.3","v1.0.2","v1.0.1","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41683.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"}]}