High severityNVD Advisory· Published Mar 20, 2026· Updated Mar 20, 2026
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
CVE-2026-33128
Description
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
h3npm | >= 2.0.0, < 2.0.1-rc.15 | 2.0.1-rc.15 |
h3npm | < 1.15.6 | 1.15.6 |
Affected products
2- h3js/h3v5Range: >= 2.0.0, < 2.0.1-rc.15
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-22cc-p3c6-wpvmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33128ghsaADVISORY
- github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.tsghsax_refsource_MISCWEB
- github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6ghsax_refsource_MISCWEB
- github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.