Vulnerability in Nestjs Nest

CVE-2026-35515

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream._transform() interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline…

EPSS: 0.000 (2.3th percentile) — read the EPSS interpretation.

Affected products

Nestjs Nest — versions < 11.1.18

Weakness classification (CWE)

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

References

https://github.com/nestjs/nest/security/advisories/GHSA-36xv-jgw5-4q75 (x_refsource_CONFIRM)