Event Spoofing Vulnerability in sse-channel by rexxars
CVE-2026-44217

6.6MEDIUM

Key Information:

Vendor: Rexxars
Status: Sse-channel
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-44217?

The sse-channel package, an SSE (Server-Sent Events) implementation for Node.js, is vulnerable to event spoofing prior to version 4.0.1. This issue arises when user-provided values are allowed to be passed to the event, retry, or id fields, facilitating an attack where an unauthorized user might inject arbitrary messages into the data stream. This exploit can be particularly damaging as it compromises the integrity and reliability of data being communicated through the application.

Affected Version(s)

sse-channel < 4.0.1

References

https://github.com/rexxars/sse-channel/security/advisorie...

x_refsource_CONFIRM

https://github.com/rexxars/sse-channel/issues/42

x_refsource_MISC

CVSS V4

Score:

6.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44217 Data

JSON

Rexxars

What is CVE-2026-44217?

Affected Version(s)

References

CVSS V4

Timeline