CPE
A critical prototype pollution vulnerability (CVE-2026-48714) exists in `i18next-http-middleware` versions up to 3.9.6, where the `missingKeyHandler` fails to adequately sanitize dotted key segments, allowing attackers to manipulate `Object.prototype` when exposed to untrusted input and used with vulnerable `i18next-fs-backend` versions up to 2.6.5, potentially leading to configuration poisoning, security bypasses, crashes, or remote code execution.