cbcvebase.
CVE-2026-33129
published 2026-03-20

CVE-2026-33129: H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to…

PriorityP434medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
0.32%
23.6th percentile
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.

Affected

4 ranges
VendorProductVersion rangeFixed in
h3h3
h3h3
h3h3>= 2.0.0-beta.0 < 2.0.1-rc.92.0.1-rc.9
h3jsh3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.