cbcvebase.
CVE-2026-33128
published 2026-03-20

CVE-2026-33128: H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events…

PriorityP266critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.49%
38.2th percentile
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.

Affected

7 ranges
VendorProductVersion rangeFixed in
h3h3< 1.15.61.15.6
h3h3
h3h3
h3h3>= 0 < 1.15.61.15.6
h3h3>= 2.0.0 < 2.0.1-rc.152.0.1-rc.15
h3jsh3< 1.15.61.15.6
h3jsh3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.