cvedb.io
CVE-2026-44214
MEDIUM · CVSS 5.8
EPSS exploitation probability: 0%
Published 2026-05-26T20:16:19.803 · Last modified 2026-06-17T10:50:22.090

Summary

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.

Affected products

rexxars — eventsource-encoder

Does this affect you?

Add your gear to cvedb and we'll alert you only when rexxars ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.