CVE-2026-33128
published 2026-03-20CVE-2026-33128: H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events…
PriorityP266critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.49%
38.2th percentile
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| h3 | h3 | < 1.15.6 | 1.15.6 |
| h3 | h3 | — | — |
| h3 | h3 | — | — |
| h3 | h3 | >= 0 < 1.15.6 | 1.15.6 |
| h3 | h3 | >= 2.0.0 < 2.0.1-rc.15 | 2.0.1-rc.15 |
| h3js | h3 | < 1.15.6 | 1.15.6 |
| h3js | h3 | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
ghsa·2026-03-18
CVE-2026-33128 [HIGH] CWE-93 h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
## Summary
`createEventStream` in h3 is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in `formatEventStreamMessage()` and `formatEventStreamComment()`. An attacker who controls any part of an SSE message field (`id`, `event`, `data`, or comment) can inject arbitrary SSE events to connected clients.
## Details
The vulnerability exists in `src/utils/internal/event-stream.ts`, lines [170](https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170)-[187](https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L187):
```typescript
export function formatEventStrea
OSV
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
osv·2026-03-18
CVE-2026-33128 [HIGH] h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
## Summary
`createEventStream` in h3 is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in `formatEventStreamMessage()` and `formatEventStreamComment()`. An attacker who controls any part of an SSE message field (`id`, `event`, `data`, or comment) can inject arbitrary SSE events to connected clients.
## Details
The vulnerability exists in `src/utils/internal/event-stream.ts`, lines [170](https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170)-[187](https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L187):
```typescript
export function formatEventStrea
No detection rules found.
No public exploits indexed.
2026-03-20
Published