CVE-2026-33128

H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187	Product
https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6	Patch
https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:h3:h3::::::node.js::*
	cpe:2.3:a:h3:h3:2.0.0:::::node.js::
	cpe:2.3:a:h3:h3:2.0.1:rc10::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc11::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc12::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc13::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc14::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc2::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc3::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc4::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc5::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc6::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc7::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc8::::node.js::*
	cpe:2.3:a:h3:h3:2.0.1:rc9::::node.js::*

History

20 Mar 2026, 20:00

Type	Values Removed	Values Added
First Time		H3 h3 H3
CPE		cpe:2.3:a:h3:h3:2.0.1:rc8::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc7::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc6::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc5::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc14::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc12::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc9::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc13::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc2::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc10::::node.js::* cpe:2.3:a:h3:h3::::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc4::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc3::::node.js::* cpe:2.3:a:h3:h3:2.0.1:rc11::::node.js::* cpe:2.3:a:h3:h3:2.0.0:::::node.js::
Summary		(es) H3 es un framework H(TTP) mínimo. En versiones anteriores a la 1.15.6 y entre la 2.0.0 y la 2.0.1-rc.14, createEventStream es vulnerable a la inyección de Eventos Enviados por el Servidor (SSE) debido a la falta de saneamiento de nueva línea en formatEventStreamMessage() y formatEventStreamComment(). Un atacante que controla cualquier parte de un campo de mensaje SSE (id, evento, datos o comentario) puede inyectar eventos SSE arbitrarios a los clientes conectados. Este problema está solucionado en las versiones 1.15.6 y 2.0.1-rc.15.
References	~~() https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187 -~~	() https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187 - Product
References	~~() https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6 -~~	() https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6 - Patch
References	~~() https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm -~~	() https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm - Exploit, Vendor Advisory

20 Mar 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 10:16

Updated : 2026-03-20 20:00

NVD link : CVE-2026-33128

Mitre link : CVE-2026-33128

CVE.ORG link : CVE-2026-33128

JSON object : View

Products Affected

CWE

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

7.5 /10