sse-channel: SSE Injection via unsanitized event fields_CVE-2026-44217

6.6 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Description

sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.

Basic Information

ID CVE-2026-44217

Source GitHub_M

Published May 12, 2026 at 19:51

Affected Product

Vendor rexxars

Product sse-channel

Version < 4.0.1

Affected Versions rexxars sse-channel < 4.0.1

CWE Classification

CWE-93

References

{
    "lastseen": "",
    "description": "sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.",
    "published": "2026-05-12T19:51:06.910Z",
    "modified": "2026-05-12T19:51:06.910Z",
    "type": "cve",
    "title": "sse-channel: SSE Injection via unsanitized event fields",
    "source": "GitHub_M",
    "references": "https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg\nhttps://github.com/rexxars/sse-channel/issues/42",
    "id": "CVE-2026-44217",
    "bulletinFamily": "",
    "cwe": [
        "CWE-93"
    ],
    "cvelist": null,
    "sourceData": "rexxars sse-channel < 4.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "sse-channel",
    "version": "< 4.0.1",
    "vendor": "rexxars",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}