Search
Find a vulnerability
Search criteria
2 vulnerabilities found for sse-channel by rexxars
CVE-2026-44217 (GCVE-0-2026-44217)
Vulnerability from nvd – Published: 2026-05-12 19:51 – Updated: 2026-05-14 19:52
VLAI
EPSS
VEX
Title
sse-channel: SSE Injection via unsanitized event fields
Summary
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/rexxars/sse-channel/security/a… | x_refsource_CONFIRM |
| https://github.com/rexxars/sse-channel/issues/42 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rexxars | sse-channel |
Affected:
< 4.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T19:50:24.505003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:52:02.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sse-channel",
"vendor": "rexxars",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:51:06.910Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg"
},
{
"name": "https://github.com/rexxars/sse-channel/issues/42",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rexxars/sse-channel/issues/42"
}
],
"source": {
"advisory": "GHSA-84hm-wfh8-c5pg",
"discovery": "UNKNOWN"
},
"title": "sse-channel: SSE Injection via unsanitized event fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44217",
"datePublished": "2026-05-12T19:51:06.910Z",
"dateReserved": "2026-05-05T15:13:47.572Z",
"dateUpdated": "2026-05-14T19:52:02.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44217 (GCVE-0-2026-44217)
Vulnerability from cvelistv5 – Published: 2026-05-12 19:51 – Updated: 2026-05-14 19:52
VLAI
EPSS
VEX
Title
sse-channel: SSE Injection via unsanitized event fields
Summary
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/rexxars/sse-channel/security/a… | x_refsource_CONFIRM |
| https://github.com/rexxars/sse-channel/issues/42 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rexxars | sse-channel |
Affected:
< 4.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T19:50:24.505003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:52:02.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sse-channel",
"vendor": "rexxars",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:51:06.910Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg"
},
{
"name": "https://github.com/rexxars/sse-channel/issues/42",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rexxars/sse-channel/issues/42"
}
],
"source": {
"advisory": "GHSA-84hm-wfh8-c5pg",
"discovery": "UNKNOWN"
},
"title": "sse-channel: SSE Injection via unsanitized event fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44217",
"datePublished": "2026-05-12T19:51:06.910Z",
"dateReserved": "2026-05-05T15:13:47.572Z",
"dateUpdated": "2026-05-14T19:52:02.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}