Browse all 6 CVE security advisories affecting h3js. AI-powered Chinese analysis, POCs, and references for each vulnerability.
h3js is a JavaScript library for embedding interactive 3D visualizations in web applications. Historically, it has been susceptible to cross-site scripting (XSS) vulnerabilities due to improper input sanitization in rendering functions, and remote code execution (RCE) through maliciously crafted 3D model files. The library has also faced privilege escalation issues where sandboxed contexts could bypass security restrictions. Notable security characteristics include its client-side execution model and dynamic content rendering capabilities. While no major public incidents have been widely documented, the six CVEs recorded highlight recurring issues around input validation and secure rendering practices in web-based 3D visualization libraries.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-33490 | h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes — h3CWE-706 | 3.7 | Low | 2026-03-26 |
| CVE-2026-33131 | h3 has a middleware bypass with one gadget — h3CWE-290 | 7.4 | High | 2026-03-20 |
| CVE-2026-33129 | h3 has an observable timing discrepancy in basic auth utils — h3CWE-208 | 5.9 | Medium | 2026-03-20 |
| CVE-2026-33128 | h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields — h3CWE-93 | 7.5 | High | 2026-03-20 |
| CVE-2026-23527 | h3 v1 has Request Smuggling (TE.TE) issue — h3CWE-444 | 8.9 | High | 2026-01-15 |
This page lists every published CVE security advisory associated with h3js. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.