JLSEC-2026-619 CR/LF injection in server-sent events (SSE) fields in HTTP.jl
Description The server-side SSE serializer wrote the single-line fields event, id, and retry verbatim to the text/event-stream wire with no CR/LF filtering, and split the multi-line data field only on \n, ignoring a bare \r that is also a valid SSE line terminator. The SSEEvent constructor...