ByteOS Network

rexxars

Source -

CNANVD

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-44214

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-5.8||MEDIUM

EPSS-0.01% / 1.54%

7 Day CHG~0.00%

Published-26 May, 2026 | 19:34

Updated-28 May, 2026 | 14:30

eventsource-encoder: SSE event injection via unsanitized event and id fields

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2.

Vendor-rexxars rexxars

Product-eventsource-encoder eventsource-encoder

CWE ID-CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE ID-CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVE-2026-44217

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-6.6||MEDIUM

EPSS-0.02% / 5.88%

7 Day CHG~0.00%

Published-12 May, 2026 | 19:51

Updated-14 May, 2026 | 19:52

sse-channel: SSE Injection via unsanitized event fields

sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. This vulnerability is fixed in 4.0.1.

Vendor-rexxars

Product-sse-channel

CWE ID-CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')