10

CVE-2026-33128

Exploit
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
H3H3 SwPlatformnode.js Version < 1.15.6
H3H3 Version2.0.0 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc10 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc11 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc12 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc13 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc14 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc2 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc3 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc4 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc5 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc6 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc7 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc8 SwPlatformnode.js
H3H3 Version2.0.1 Updaterc9 SwPlatformnode.js
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.02% 0.051
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com 7.5 2.2 4.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.