Description
Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.
Recommendation
Update the sse-channel package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.0.0
- Patched version(s): 4.0.1
References
Related Issues
- i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885
- Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction - CVE-2026-31828
- Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()` - CVE-2026-44635
- Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection - CVE-2026-44724
You might also like:
- Tags:
- npm
- sse-channel
Anything's wrong? Let us know Last updated on May 13, 2026