{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33128", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.927Z", "datePublished": "2026-03-20T09:37:07.206Z", "dateUpdated": "2026-03-20T11:40:27.956Z"}, "containers": {"cna": {"title": "h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm"}, {"name": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6"}, {"name": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187", "tags": ["x_refsource_MISC"], "url": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187"}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"version": ">= 2.0.0, < 2.0.1-rc.15", "status": "affected"}, {"version": "< 1.15.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:37:07.206Z"}, "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15."}], "source": {"advisory": "GHSA-22cc-p3c6-wpvm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T11:36:13.079547Z", "id": "CVE-2026-33128", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:40:27.956Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33128", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T11:36:13.079547Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:40:21.329Z"}}], "cna": {"title": "h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields", "source": {"advisory": "GHSA-22cc-p3c6-wpvm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "h3js", "product": "h3", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.0.1-rc.15"}, {"status": "affected", "version": "< 1.15.6"}]}], "references": [{"url": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm", "name": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6", "name": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187", "name": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:37:07.206Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33128", "state": "PUBLISHED", "dateUpdated": "2026-03-20T11:40:27.956Z", "dateReserved": "2026-03-17T20:35:49.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T09:37:07.206Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15."}], "id": "CVE-2026-33128", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T10:16:19.160", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187"}, {"source": "security-advisories@github.com", "url": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6"}, {"source": "security-advisories@github.com", "url": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T10:20:22.684809+00:00", "value": {"mitigation_remediation": ["Upgrade h3 to at least version 1.15.6 or 2.0.1\u2011rc.15 to eliminate the injection flaw."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Sent Event injection"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the h3 framework (h3js:h3) in all versions prior to 1.15.6 and in the 2.0.0 to 2.0.1\u2011rc.14 series. Upgrading to at least 1.15.6 or 2.0.1\u2011rc.15 is required to remove the flaw.", "description_and_impact": "The vulnerability is caused by missing newline sanitization in the formatEventStreamMessage() and formatEventStreamComment() functions, allowing an attacker who can control any part of an SSE message field (id, event, data, or comment) to inject arbitrary Server\u2011Sent Events into the stream. This injection can deliver malicious events to connected clients, potentially leading to client\u2011side security issues such as cross\u2011site scripting or other injections. The weakness is categorized as CWE\u201193 (Improper Handling of Special Elements in a Data String).", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity impact. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is network\u2011based, requiring the attacker\u2019s ability to modify the content of an SSE response for a client that is connected to the vulnerable server. If the client trusts the server, the injected events could manipulate application state or run malicious payloads. This combination of high severity and network attack surface results in a significant risk for exposed services that use h3's SSE functionality."}}}}, "created": "2026-03-20T10:36:24.135593+00:00", "updated": "2026-03-20T10:36:24.135620+00:00", "vendors": []}