What is CVE-2026-33128?

CVE-2026-33128 is a high-severity vulnerability in H3js H3, classified under CRLF Injection. CVSS score: 7.5/10. Published 2026-03-20.

How severe is CVE-2026-33128?

High severity. CVSS v3 base score is 7.5 out of 10.

Vulnerability in H3js H3

CVE-2026-33128

H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() an…

Vulnerability class: CRLF Injection

EPSS: 0.000 (7.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N.

Affected products

H3js H3 — versions >= 2.0.0, < 2.0.1-rc.15, < 1.15.6

Weakness classification (CWE)

CWE-93 — CRLF Injection

References

https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm (x_refsource_CONFIRM)
https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6 (x_refsource_MISC)
https://github.com/h3js/h3/blob/52c82e18bb643d124b8b9ec3b1f62b081f044611/src/utils/internal/event-stream.ts#L170-L187 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33128?: CVE-2026-33128 is a high-severity vulnerability in H3js H3, classified under CRLF Injection. CVSS score: 7.5/10. Published 2026-03-20.
How severe is CVE-2026-33128?: High severity. CVSS v3 base score is 7.5 out of 10.