Search criteria
2 vulnerabilities found for sse-channel by rexxars
CVE-2026-44217 (GCVE-0-2026-44217)
Vulnerability from nvd – Published: 2026-05-12 19:51 – Updated: 2026-05-14 19:52
VLAI
Title
sse-channel: SSE Injection via unsanitized event fields
Summary
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/rexxars/sse-channel/security/a… | x_refsource_CONFIRM |
| https://github.com/rexxars/sse-channel/issues/42 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rexxars | sse-channel |
Affected:
< 4.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T19:50:24.505003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:52:02.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sse-channel",
"vendor": "rexxars",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:51:06.910Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg"
},
{
"name": "https://github.com/rexxars/sse-channel/issues/42",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rexxars/sse-channel/issues/42"
}
],
"source": {
"advisory": "GHSA-84hm-wfh8-c5pg",
"discovery": "UNKNOWN"
},
"title": "sse-channel: SSE Injection via unsanitized event fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44217",
"datePublished": "2026-05-12T19:51:06.910Z",
"dateReserved": "2026-05-05T15:13:47.572Z",
"dateUpdated": "2026-05-14T19:52:02.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44217 (GCVE-0-2026-44217)
Vulnerability from cvelistv5 – Published: 2026-05-12 19:51 – Updated: 2026-05-14 19:52
VLAI
Title
sse-channel: SSE Injection via unsanitized event fields
Summary
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/rexxars/sse-channel/security/a… | x_refsource_CONFIRM |
| https://github.com/rexxars/sse-channel/issues/42 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rexxars | sse-channel |
Affected:
< 4.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T19:50:24.505003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:52:02.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sse-channel",
"vendor": "rexxars",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:51:06.910Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg"
},
{
"name": "https://github.com/rexxars/sse-channel/issues/42",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rexxars/sse-channel/issues/42"
}
],
"source": {
"advisory": "GHSA-84hm-wfh8-c5pg",
"discovery": "UNKNOWN"
},
"title": "sse-channel: SSE Injection via unsanitized event fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44217",
"datePublished": "2026-05-12T19:51:06.910Z",
"dateReserved": "2026-05-05T15:13:47.572Z",
"dateUpdated": "2026-05-14T19:52:02.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}