CVE-2026-33490

Exploit

EPSS 0.04%
Veröffentlicht 26.03.2026 17:19:15
Zuletzt bearbeitet 31.03.2026 21:00:13
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

H3 ≫ H3 Version2.0.1 Updaterc1 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc10 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc11 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc12 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc13 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc14 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc15 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc16 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc2 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc3 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc4 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc5 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc6 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc7 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc8 SwPlatformnode.js

H3 ≫ H3 Version2.0.1 Updaterc9 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.135

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-706 Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-33490

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33490

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33490

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33490