CVE-2026-33128CRITICAL 10.0EPSS p38.0%

CVE-2026-33128CVE-2026-33128

Description

H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.49% probability of exploitation · percentile 38.0% · 2026-06-19T12:03:05Z
Published2026-03-20
Last modified2026-03-20

Underlying weaknesses· 1

CWE-93

References

  1. https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187
  2. https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6
  3. https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of CRLF Sequences ('CRLF Injection')cwe-930%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-23527
CVE
CVE-2026-33131
CVE
CVE-2025-22871
CVE
CVE-2026-38967
CVE
CVE-2026-35392
CVE
CVE-2026-3960
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.