← back
CVE-2026-44217

sse-channel: SSE Injection via unsanitized event fields

CVSS 6.6 MEDIUMEPSS 0.4%CWE-93
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.6EPSS 0.4%KEV nãoPoC Patch
Lifecycle
12 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
Affected products
rexxars · sse-channel

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/rexxars/sse-channel/issues/42https://github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg