Home / Vulnerability Intelligence / CVE-2026-33128

CVE-2026-33128 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: March 20, 2026

H3 - Stored XSS

Published: March 20, 2026Updated: March 20, 2026PoC AvailableRemote Exploitable

Overview

H3 < 1.15.6 and 2.0.0 through 2.0.1-rc.14 contain a Server-Sent Events (SSE) injection caused by missing newline sanitization in createEventStream functions, letting attackers inject arbitrary SSE events to clients, exploit requires control of SSE message fields.

Severity & Score

Severity: High

CVSS Score: 7.5

Impact

Attackers can inject arbitrary SSE events to connected clients, potentially leading to client-side script execution or manipulation.

Mitigation

Update to versions 1.15.6 or 2.0.1-rc.15 or later.

References

https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187
https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6
https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33128
Severity: High
CVSS Score: 7.5
Type: stored_xss
Status: confirmed

CWE

CWE-93

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N