CVE-2026-44214

5.8 MEDIUM

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages

Published: 2026-05-26 · Last updated: 2026-05-28

Severity and scoring

CVSS: 5.8 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CWE: CWE-113, CWE-93

Affected products

Vendor	Product
rexxars	eventsource-encoder

Description

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44214
[Vendor advisory]https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx
[Vendor advisory]https://github.com/rexxars/eventsource-encoder/security/advisories/GHSA-m9g3-3g99-mhpx

Related CVEs

Same CWE

CVE-2026-12143 — form-data is a library for creating readable multipart/form-data streams (7.5 HIGH)
CVE-2026-50630 — A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class (6.5 MEDIUM)
CVE-2026-50629 — The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing ... (5.3 MEDIUM)
CVE-2026-44489 — Axios is a promise based HTTP client for the browser and Node.js (3.7 LOW)
CVE-2026-49214 — guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP (5.3 MEDIUM)