{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33128", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.927Z", "datePublished": "2026-03-20T09:37:07.206Z", "dateUpdated": "2026-03-20T11:40:27.956Z"}, "containers": {"cna": {"title": "h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm"}, {"name": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6"}, {"name": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187"}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"version": ">= 2.0.0, < 2.0.1-rc.15", "status": "affected"}, {"version": "< 1.15.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:37:07.206Z"}, "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15."}], "source": {"advisory": "GHSA-22cc-p3c6-wpvm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T11:36:13.079547Z", "id": "CVE-2026-33128", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:40:27.956Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33128", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T11:36:13.079547Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:40:21.329Z"}}], "cna": {"title": "h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields", "source": {"advisory": "GHSA-22cc-p3c6-wpvm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.0.1-rc.15"}, {"status": "affected", "version": "< 1.15.6"}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm", "name": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6", "name": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187", "name": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:37:07.206Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33128", "state": "PUBLISHED", "dateUpdated": "2026-03-20T11:40:27.956Z", "dateReserved": "2026-03-17T20:35:49.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T09:37:07.206Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:h3:h3:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8B8C8545-3682-40FD-A897-6729997A94E7", "versionEndExcluding": "1.15.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "A80DE960-665D-4590-B6D5-645099B808E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*", "matchCriteriaId": "603A08FC-B20B-4693-90A1-0BF5F08B43AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*", "matchCriteriaId": "BCC5ECF0-0EED-48BC-95FA-1D2671A971A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*", "matchCriteriaId": "BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*", "matchCriteriaId": "3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*", "matchCriteriaId": "3D1C9D7B-3CE4-427B-93B4-EAF867159AFB", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*", "matchCriteriaId": "C5E7779A-00CA-45E7-8F68-1DAB5388ED4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*", "matchCriteriaId": "064C21F5-8633-45F3-9A3D-3FB029A867B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*", "matchCriteriaId": "DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*", "matchCriteriaId": "496314A3-8F2B-4274-9D0D-7F11E896FEA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*", "matchCriteriaId": "35F49342-D52C-4762-9369-F380C5E7E0B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*", "matchCriteriaId": "D11CA1A7-3141-46EA-9687-32C333FC7B0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*", "matchCriteriaId": "A4A6FD03-5DE5-4D73-9FF3-BB653302C60B", "vulnerable": true}, {"criteria": "cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*", "matchCriteriaId": "5E404148-6862-44F5-961D-10E8A742A4B6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15."}, {"lang": "es", "value": "H3 es un framework H(TTP) m\u00ednimo. En versiones anteriores a la 1.15.6 y entre la 2.0.0 y la 2.0.1-rc.14, createEventStream es vulnerable a la inyecci\u00f3n de Eventos Enviados por el Servidor (SSE) debido a la falta de saneamiento de nueva l\u00ednea en formatEventStreamMessage() y formatEventStreamComment(). Un atacante que controla cualquier parte de un campo de mensaje SSE (id, evento, datos o comentario) puede inyectar eventos SSE arbitrarios a los clientes conectados. Este problema est\u00e1 solucionado en las versiones 1.15.6 y 2.0.1-rc.15."}], "id": "CVE-2026-33128", "lastModified": "2026-03-20T20:00:21.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T10:16:19.160", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.1-rc.15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.15.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "h3", "source": "cna", "vendor": "h3js"}, "product": "h3", "vendor": "h3js"}], "analysis": {"en": {"generated_at": "2026-03-20T21:51:58.280562+00:00", "value": {"mitigation_remediation": ["Update the h3 package to at least version 1.15.6 or 2.0.1\u2011rc15 to apply the newline sanitization fix.", "If updating is not immediately possible, restrict or block access to the SSE endpoint, or remove SSE functionality from production until the patch is available.", "As a temporary workaround, ensure any application code that generates SSE messages removes or escapes newline characters from the id, event, data, and comment fields before passing them to the formatter."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Sent Events Injection"}, "threat_synthesis": {"affected_systems": "Affects the h3 framework distributed by h3js. All releases before 1.15.6, and releases from 2.0.0 up to 2.0.1\u2011rc14, are vulnerable. Versions 1.15.6 and 2.0.1\u2011rc15 or later contain the fix. The vulnerability resides in the SSE implementation used by the framework.", "description_and_impact": "The vulnerability in the h3 HTTP framework allows an attacker who can control any part of a Server\u2011Sent Events (SSE) message field\u2014id, event, data, or comment\u2014to inject arbitrary SSE content into the stream sent to clients. The missing newline sanitization in the formatting functions lets injected characters be interpreted as new events, potentially delivering malicious payloads to browser\u2011based clients. This flaw is classified as CWE\u201193, indicating that input is placed in an HTTP response without proper contextual escaping.", "risk_and_exploitability": "The CVSS score of 7.5 marks it as high severity. The EPSS score is less than 1\u202f% and the issue is not listed in CISA\u2019s KEV catalog, suggesting a low exploitation probability but still realistic. Exploitation can be performed remotely by an attacker who can influence the content of an SSE message\u2014for example, through a malicious upstream data source or crafted request. The impact is limited to clients consuming the SSE stream; compromised clients could execute injected scripts or otherwise be manipulated. Client\u2011side code has no need for elevated server privileges, making remote exploitation feasible for attackers with network access to the SSE endpoint."}}}}, "created": "2026-03-20T10:36:24.135593+00:00", "updated": "2026-03-25T14:29:40.480222+00:00", "vendors": ["h3js", "h3js$PRODUCT$h3"]}