Product
Untrusted input can exploit a prototype pollution vulnerability (CVE-2026-48713) in `i18next-fs-backend` versions prior to 2.6.6, particularly via `i18next-http-middleware`'s `missingKeyHandler`, by submitting crafted missing-key strings that leverage the `keySeparator` to write arbitrary properties onto `Object.prototype`, leading to crashes, configuration poisoning, or security bypasses.