Medium severity5.8GHSA Advisory· Published May 26, 2026· Updated May 28, 2026
CVE-2026-44214
CVE-2026-44214
Description
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
eventsource-encodernpm | < 1.0.2 | 1.0.2 |
Affected products
3<= 1.0.1+ 1 more
- (no CPE)range: <= 1.0.1
- cpe:2.3:a:rexxars:eventsource-encoder:*:*:*:*:*:node.js:*:*range: <1.0.2
Patches
Vulnerability mechanics
References
4- github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpxnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-m9g3-3g99-mhpxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44214ghsaADVISORY
- html.spec.whatwg.org/multipage/server-sent-events.htmlghsaWEB
News mentions
0No linked articles in our index yet.