CVE-2026-44217— sse-channel: SSE Injection via unsanitized event fields
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| rexxars | sse-channel | < 4.0.1 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44217
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
sse-channel: SSE Injection via unsanitized event fields
Source: NVD (National Vulnerability Database)
Vulnerability Description
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对CRLF序列的转义处理不恰当(CRLF注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
sse-channel 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
sse-channel是Espen Hovlandsdal个人开发者的一个基于Node.js的服务器推送事件通道工具。 sse-channel 4.0.1之前版本存在注入漏洞,该漏洞源于允许用户提供值传递给event、retry或id字段的实现,可能导致攻击者注入任意消息到流中。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| rexxars | sse-channel | < 4.0.1 | - |
II. Public POCs for CVE-2026-44217
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44217
请登录查看更多情报信息。
- https://github.com/rexxars/sse-channel/issues/42x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-44217
IV. Related Vulnerabilities
Same weakness: CWE-93
- CVE-2026-32993
cPanel 注入漏洞 - CVE-2026-42586
Netty: CRLF Injection in Netty Redis Codec Encoder - CVE-2026-35504
Subnet Solutions PowerSYSTEM Center CRLF injection - CVE-2026-43882
WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler - CVE-2026-43968
CR Injection in SSE Encoder Enables Event Splitting via cow_
V. Comments for CVE-2026-44217
No comments yet