JavaScript is a high-level, interpreted programming language essential for creating interactive web applications, running directly in web browsers to enable dynamic content and user interface enhancements. It is integral to the web development stack, working seamlessly with HTML and CSS to build responsive and feature-rich websites.

JavaScript

### Impact
Applications using the `next-intl` middleware with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL.
### Patches
The problem has been patched, please update to [`next-intl@4.9.1`](https://github.com/amannn/next-intl/releases/tag/v4.9.1).
### Credits
Many thanks to [Joni Liljeblad](https://github.com/joniumGit) from [Oura](https://ouraring.com) for responsibly disclosing the vulnerability and for suggesting the fix.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-68qg-g8mg-6pr7	CRITICAL	10	JavaScript	@paperclipai/server	No	Yes	Apr 10, 2026
GHSA-jvff-x2qm-6286	HIGH	8.8	JavaScript	mathjs	No	Yes	Apr 10, 2026
GHSA-75hx-xj24-mqrw	HIGH	8.2	JavaScript	n8n-mcp	No	Yes	Apr 10, 2026
CVE-2026-40299	MEDIUM	6.9	JavaScript	next-intl	No	Yes	Apr 10, 2026
GHSA-x7mm-9vvv-64w8	LOW	2.3	JavaScript	unhead	No	Yes	Apr 10, 2026

CVE-2026-40299:
JavaScript vulnerability analysis and mitigation

Impact

Patches

Credits

6.9

Related JavaScript vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

CVE-2026-40299: JavaScript vulnerability analysis and mitigation