Description

next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin `[email protected]`.

INFO

Published Date :

2026-04-17T20:49:05.642Z

Last Modified :

2026-04-20T15:58:51.149Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40299 vulnerability.

Vendors Products
Amannn
  • Next-intl
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40299.

URL Resource
https://github.com/amannn/next-intl/commit/1c80b668aa6d853f470319eec10a3f61e78a70e6 cve-icon cve-icon cve-icon
https://github.com/amannn/next-intl/pull/2304 cve-icon cve-icon cve-icon
https://github.com/amannn/next-intl/releases/tag/v4.9.1 cve-icon cve-icon cve-icon
https://github.com/amannn/next-intl/security/advisories/GHSA-8f24-v5vv-gm5j cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-40299 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-40299 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact