EUVD-2026-31692

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request...

MAL-2026-2768 Malicious code in h3-next (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 41a779cef19955b279051dff59351c5f041b3834e2c9bd972c0b0be096aa767f The package h3-next was found to contain malicious code...

Malicious code in h3-next (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 41a779cef19955b279051dff59351c5f041b3834e2c9bd972c0b0be096aa767f The package h3-next was found to contain malicious code...

CVE-2026-33490

A flaw was found in H3, a minimal HTTP framework. The mount method, responsible for routing requests to sub-applications, incorrectly uses a simple string comparison to check path prefixes. This allows a remote attacker to craft a URL that bypasses the intended path segment boundary. Consequently...

CVE-2026-33490

H3 is a minimal HTTP framework. In versions 2.0.0-0 through 2.0.1-rc.16, the mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next...

CVE-2026-33490 h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes

H3 is a minimal HTTP framework. In versions 2.0.0-0 through 2.0.1-rc.16, the mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next...

CVE-2026-33490 h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes

H3 is a minimal HTTP framework. In versions 2.0.0-0 through 2.0.1-rc.16, the mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next...

CVE-2026-33490 h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes

H3 is a minimal HTTP framework. In versions 2.0.0-0 through 2.0.1-rc.16, the mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next...

CVE-2026-33490

The connected document provides concrete details for CVE-2026-33490: a missing path-segment boundary check in the h3 library allows a mounted sub-app at a base path (e.g., /admin) to leak middleware-induced context (such as isAdmin) to unrelated routes that merely share the string prefix (e.g., /...

H3 安全漏洞

H3 is an open-source HTTP framework developed by H3. Versions of H3 prior to 2.0.2-rc.17 contained security vulnerabilities. These vulnerabilities stemmed from the use of the startsWith method for checking paths, without verifying the boundaries of path segments. This could lead to middleware...

GHSA-FP4X-GGRF-WMC6 H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation

Summary The redirectBack utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths starting with //. An attacker can craft a same-origin URL with a...

H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation

Summary The redirectBack utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths starting with //. An attacker can craft a same-origin URL with a...

Open Redirect

Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Open Redirect via the redirectBack function. An attacker can cause users to be redirected to an external, attacker-controlled domain by crafting a URL with a...

@abysslabs/cli (=0.0.2), @analogjs/vite-plugin-nitro (>=2.4.0-alpha.2 <=3.0.0-alpha.1) +54 more potentially affected by unknown CVE via h3 (>=2.0.0-beta.4 <=2.0.1-rc.16)

h3 NPM version =2.0.0-beta.4, =2.4.0-alpha.2, =0.0.0, =0.1.25, =0.3.3, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =1.3.4 and more Source cves: unknown CVE Source advisory: SNYK:JS-H3-15762218...

@abysslabs/cli (=0.0.2), @analogjs/vite-plugin-nitro (>=2.4.0-alpha.2 <=3.0.0-alpha.1) +54 more potentially affected by unknown CVE via h3 (>=2.0.0-beta.4 <=2.0.1-rc.16)

h3 NPM version =2.0.0-beta.4, =2.4.0-alpha.2, =0.0.0, =0.1.25, =0.3.3, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =1.3.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-Q5PR-72PQ-83V3...

Allocation of Resources Without Limits or Throttling

Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the getChunkedCookieCount function. An attacker can cause the server to enter an inefficient cleanup...

0xkit (=0.0.1), 0xpass (>=0.0.11 <=0.1.26) +7343 more potentially affected by unknown CVE via h3 (>=0.2.12 <=1.15.6)

h3 NPM version =0.2.12, =0.0.11, =0.0.2, =0.1.0, =1.1.0, =0.1.0, =0.1.0, =1.0.21, =2.0.0, =0.1.4, =0.1.0, =0.1.2 and more Source cves: unknown CVE Source advisory: OSV:GHSA-4HXC-9384-M385...

@abysslabs/cli (=0.0.2), @analogjs/vite-plugin-nitro (>=2.4.0-alpha.2 <=3.0.0-alpha.1) +61 more potentially affected by unknown CVE via h3 (>=2.0.0-beta.0 <=2.0.1-rc.16)

h3 NPM version =2.0.0-beta.0, =2.4.0-alpha.2, =0.0.0, =0.1.25, =0.3.3, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =1.5.4 and more Source cves: unknown CVE Source advisory: SNYK:JS-H3-15746329...

@abysslabs/cli (=0.0.2), @analogjs/vite-plugin-nitro (>=2.4.0-alpha.2 <=3.0.0-alpha.1) +61 more potentially affected by unknown CVE via h3 (>=2.0.0-beta.0 <=2.0.1-rc.16)

h3 NPM version =2.0.0-beta.0, =2.4.0-alpha.2, =0.0.0, =0.1.25, =0.3.3, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =1.5.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-4HXC-9384-M385...

CRLF Injection

Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to CRLF Injection via unsanitized carriage return characters in the data and comment fields of the EventStream class. An attacker can inject arbitrary server-sent...