CVE Vulnerabilities

CVE-2026-33128

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Published: Mar 20, 2026 | Modified: Mar 20, 2026
CVSS 3.x
10
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io logo minimus.io logo echo.ai logo

H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.

Weakness

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Affected Software

NameVendorStart VersionEnd Version
H3H3*1.15.6 (excluding)
H3H32.0.0 (including)2.0.0 (including)
H3H32.0.1-rc10 (including)2.0.1-rc10 (including)
H3H32.0.1-rc11 (including)2.0.1-rc11 (including)
H3H32.0.1-rc12 (including)2.0.1-rc12 (including)
H3H32.0.1-rc13 (including)2.0.1-rc13 (including)
H3H32.0.1-rc14 (including)2.0.1-rc14 (including)
H3H32.0.1-rc2 (including)2.0.1-rc2 (including)
H3H32.0.1-rc3 (including)2.0.1-rc3 (including)
H3H32.0.1-rc4 (including)2.0.1-rc4 (including)
H3H32.0.1-rc5 (including)2.0.1-rc5 (including)
H3H32.0.1-rc6 (including)2.0.1-rc6 (including)
H3H32.0.1-rc7 (including)2.0.1-rc7 (including)
H3H32.0.1-rc8 (including)2.0.1-rc8 (including)
H3H32.0.1-rc9 (including)2.0.1-rc9 (including)

Potential Mitigations

References