All 5 CVE vulnerabilities found in h3, with AI-generated Chinese analysis, references, and POCs.
Vendor: h3js
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-33490 | h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes CWE-706 | 3.7 | Low | 2026-03-26 |
| CVE-2026-33131 | h3 has a middleware bypass with one gadget CWE-290 | 7.4 | High | 2026-03-20 |
| CVE-2026-33129 | h3 has an observable timing discrepancy in basic auth utils CWE-208 | 5.9 | Medium | 2026-03-20 |
| CVE-2026-33128 | h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields CWE-93 | 7.5 | High | 2026-03-20 |
| CVE-2026-23527 | h3 v1 has Request Smuggling (TE.TE) issue CWE-444 | 8.9 | High | 2026-01-15 |
All 5 known CVE vulnerabilities affecting h3 with full Chinese analysis, references, and POCs where available.