CVE-2026-33128
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
| CWE | CWE-93 |
| Vendor | h3js |
| Product | h3 |
| Published | Mar 20, 2026 |
| Last Updated | Mar 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for h3js h3
Be the first to know when new high vulnerabilities affecting h3js h3 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None
Affected Versions
h3js / h3
>= 2.0.0, < 2.0.1-rc.15 < 1.15.6