CVE-2026-33131
A flaw was found in H3, a minimal HTTP framework. When event.url, event.url.hostname, or event.url.url is accessed, such as in a logging middleware, the url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler befor...