Description
Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.
Recommendation
Update the sse-channel package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.0.0
- Patched version(s): 4.0.1
References
Related Issues
- Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API - CVE-2026-45719
- Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()` - CVE-2026-44635
- i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
You might also like:
- Tags:
- npm
- sse-channel
Anything's wrong? Let us know Last updated on May 13, 2026