EUVD-2026-31968

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...

sse-channel 注入漏洞

SSE-Channel is a server-push event channel tool developed by Espen Hovlandsdal, based on Node.js. Versions of SSE-Channel prior to 4.0.1 had an injection vulnerability. This vulnerability stemmed from implementations that allowed users to provide values passed into fields such as event, retry, or...

HTTP Response Splitting

Overview eventsource-encoder is an Encodes events as well-formed EventSource/Server Sent Event SSE messages Affected versions of this package are vulnerable to HTTP Response Splitting via unsanitized event and id fields in the encoding process. An attacker can inject arbitrary Server-Sent Events...

eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields

Summary eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators \n, \r, or \r\n and thereby forge additional SSE fields or entire messages on the...

PT-2026-39241

Name of the Vulnerable Software and Affected Versions eventsource-encoder versions prior to 1.0.2 Description The software fails to sanitize the event and id fields of an EventSourceMessage before serialization in the encodeMessage function. An attacker who controls these fields can inject...

PT-2026-37313

Name of the Vulnerable Software and Affected Versions sse-channel versions prior to 4.0.1 Description Implementations that allow user-provided values to be passed to the event, retry, or id fields are susceptible to event spoofing. This allows an attacker to inject arbitrary Server-Sent Events SS...

GHSA-P6XX-57QC-3WXR Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()

Summary When using streamSSE in Streaming Helper, the event, id, and retry fields were not validated for carriage return \r or newline \n characters. Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if...

Hono 注入漏洞

Hono is a web framework written in TypeScript for the Hono community. Versions of Hono prior to 4.12.4 had an injection vulnerability. This vulnerability stemmed from the streamSSE function not verifying carriage returns or line feeds in event, ID, and retry fields, which could lead to the...

CVE-2026-0556

CVE-2026-0556 concerns the XO Event Calendar WordPress plugin (versions

WordPress XO Event Calendar plugin <= 3.2.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'xo_event_field' shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'xoeventfield' shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin XO Event Calendar versions = 3.2.10...

PT-2026-20626

The XO Event Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xo event field' shortcode in all versions up to, and including, 3.2.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

SUSE-SU-2024:1007-1 Security update for shadow

This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn bsc1210507. - CVE-2023-4641: Fixed possible password leak during passwd1 change bsc1214806. The following non-security bugs were fixed: - bsc1176006: Fix chage date miscalculation...

CVE-2014-0341

Multiple cross-site scripting XSS vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to 1 templatesinternal/pages.tpl, 2 templatesinternal/home.tpl, or 3 templatesinternal/entries.tpl; 4 an event field to objects.php;...