MEDIUM
rexxars
CVE published 2026-05-26
CVE-2026-44214
A Server-Sent Events (SSE) injection vulnerability exists in the eventsource-encoder library prior to version 1.0.2. The library fails to sanitize the `event` and `id` fields of an `EventSourceMessage` before serialization, allowing attackers who control either field to inject line terminators (`n`, `r`, or `rn`). This injection capability enables forging of additional SSE fields or entire messages within [truncated]