CVE-2026-33128

Published: Mar 20, 2026 Last Modified: Mar 20, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: low
Integrity: high
Availability: none

Description

AI Translation Available

H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.

93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity
Potential Impacts:
Modify Application Data
Applicable Platforms
All platforms may be affected
View CWE Details
https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f…
https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/ut…
https://github.com/h3js/h3/commit/7791538e15ca22437307c06b7…
https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6
https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3…
https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm