{"data":{"id":"b2ba6454-2b0a-4457-9b05-d719244dd46c","title":"GHSA-22cc-p3c6-wpvm: h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields","summary":"The h3 library has a vulnerability in its Server-Sent Events (SSE, a protocol for pushing real-time messages from a server to connected clients) implementation where newline characters in message fields are not removed before being sent. An attacker who controls any message field (id, event, data, or comment) can inject newline characters to break the SSE format and trick clients into receiving fake events, potentially forcing aggressive reconnections or manipulating which past events are replayed.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-22cc-p3c6-wpvm","publishedAt":"2026-03-18T16:17:43.000Z","cveId":"CVE-2026-33128","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["h3@< 1.15.6 (fixed: 1.15.6)","h3@>= 2.0.0, <= 2.0.1-rc.14 (fixed: 2.0.1-rc.15)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["h3"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-03-18T16:17:43.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}