CVE-2026-33128

High CVSS: 7.5

H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.

Vendor

Product

CWE

CWE-93

Yayın Tarihi

2026-03-20 10:16:19

Güncelleme

2026-03-20 20:00:21

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-93 H3 HIGH H3 2026

Referanslar

https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187 https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6 https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm

Benzer Kayıtlar

Medium

CVE-2026-33732

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `F…

Low

CVE-2026-33490

H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `sta…

High

CVE-2026-33131

H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in t…

Medium

CVE-2026-33129

H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability i…

High

CVE-2026-23527

H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP R…