CVE-2026-33128
Published: 20 March 2026
Summary
CVE-2026-33128 is a high-severity CRLF Injection (CWE-93) vulnerability in H3 H3. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and timely remediation of the specific flaw in H3's createEventStream via patching to sanitized versions 1.15.6 or 2.0.1-rc.15.
Mandates validation of attacker-controlled SSE fields (id, event, data, comment) to neutralize CRLF sequences before formatting into event streams.
Enforces filtering of generated SSE output prior to client transmission to block arbitrary event injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes a remotely exploitable injection flaw in a public-facing HTTP framework (enables T1190). The core effect is injection of arbitrary events into an SSE stream delivered to clients, directly mapping to content injection (T1659) and manipulation of transmitted application data (T1565.002).
NVD Description
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of…
more
an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
Deeper analysisAI
CVE-2026-33128 is a Server-Sent Events (SSE) injection vulnerability in the H3 minimal HTTP framework, specifically affecting the createEventStream function due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). The flaw impacts H3 versions prior to 1.15.6 and those between 2.0.0 through 2.0.1-rc.14. It is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N) and maps to CWE-93 (Improper Neutralization of CRLF Sequences).
An attacker who controls any part of an SSE message field—such as id, event, data, or comment—can inject arbitrary SSE events that are delivered to connected clients. Exploitation requires network access and high attack complexity but no privileges or user interaction, with scope changing to enable low confidentiality impact and high integrity impact through injected events.
The H3 GitHub security advisory (GHSA-22cc-p3c6-wpvm) and related commit detail the fix, implemented in versions 1.15.6 and 2.0.1-rc.15 via proper sanitization. Security practitioners should upgrade affected H3 instances to these patched releases to mitigate the issue.
Details
- CWE(s)