Is there a patch available for CVE-2026-44217?

Yes, a patch is available for CVE-2026-44217. Update the affected software to the latest version immediately.

sse-channel CVE-2026-44217

Q: What is the CVSS score of CVE-2026-44217?

CVE-2026-44217 has a CVSS 4.0 base score of 6.6 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

MEDIUM

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

2026-05-05 https://github.com/rexxars/sse-channel

GHSA-84hm-wfh8-c5pg

Code Injection

6.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

May 12, 2026 - 20:22 NVD

6.6 (MEDIUM)

Source Code Evidence Fetched

May 05, 2026 - 23:01 vuln.today

Analysis Generated

May 05, 2026 - 23:01 vuln.today

DescriptionNVD

Impact

Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.

Event Spoofing: Attacker can inject arbitrary SSE events into the stream
Client-side Manipulation: Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners
Data Integrity: Consumers of the SSE stream cannot distinguish injected events from legitimate ones

Patches

Patch available in v4.0.1.

Workarounds

Do not allow user data to control event, retry or id fields, and if you must - sanitize the input before passing it to sse-channel, stripping any newlines.

Resources

https://github.com/rexxars/sse-channel/issues/42

AnalysisAI

Event spoofing in sse-channel (npm) allows attackers to inject arbitrary Server-Sent Events (SSE) messages by passing unsanitized user input to the event, retry, or id fields, enabling client-side manipulation and data integrity violations. Affects sse-channel versions 4.0.0 and earlier; patched in v4.0.1. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44217 vulnerability details – vuln.today

Back

sse-channel CVE-2026-44217

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

Resources

AnalysisAI

Analysis

Full analysis requires sign-in

Share

sse-channel CVE-2026-44217

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Workarounds

Resources

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code