AIKIDO-2026-10838
@intlify/shared is vulnerable to Cross-site Scripting (XSS)
51
Medium Risk
This Affects:
@intlify/sharedTL;DR
Translated HTML sanitization is meant to block script execution when interpolation is rendered with v-html and escapeParameterHtml is enabled. Earlier releases only neutralized plain javascript: URLs in a few attribute and style patterns, so entity-encoded colons and other obfuscated scheme spellings could still survive parsing and reach the DOM as executable navigation targets. The sanitizer now recognizes encoded javascript schemes, rewrites dangerous URL attributes and CSS url() values to about:blank, and covers unquoted URL attributes. Regression tests lock in entity-encoded and style-based cases after DOM parsing.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@intlify/shared is vulnerable to Cross-site Scripting (XSS) in versions 11.1.10 - 11.4.3.
How to fix this
Upgrade the @intlify/shared library to the patch version.
Links
GitHub Releases
github.com/intlify/vue-i18n/releases/tag/v11.4.4github.com/intlify/vue-i18n/releases/tag/v10.0.8github.com/intlify/vue-i18n/releases/tag/v11.1.10github.com/intlify/vue-i18n/releases/tag/v9.14.5Fix Commits
github.com/intlify/vue-i18n/commit/49f982443ab8fd94ecc427b265ce97d57df94d7egithub.com/intlify/vue-i18n/commit/a47099619fb9b256e86341a8658ebe72e92ab099
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant