CVE-2026-33128 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: March 20, 2026
H3 - Stored XSS
Overview
H3 < 1.15.6 and 2.0.0 through 2.0.1-rc.14 contain a Server-Sent Events (SSE) injection caused by missing newline sanitization in createEventStream functions, letting attackers inject arbitrary SSE events to clients, exploit requires control of SSE message fields.
Severity & Score
Impact
Attackers can inject arbitrary SSE events to connected clients, potentially leading to client-side script execution or manipulation.
Mitigation
Update to versions 1.15.6 or 2.0.1-rc.15 or later.
References
Social Media Activity(1 post)
š CVE-2026-33128 - High (7.5) H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and format... š https://www.thehackerwire.com/vulnerability/CVE-2026-33128/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33128
- Severity
- High
- CVSS Score
- 7.5
- Type
- stored_xss
- Status
- confirmed
- EPSS
- 1.5%
- Social Posts
- 1
CWE
- CWE-93
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N