pkg:npm/h3

5 total CVEsHIGH3MEDIUM1LOW1

✅ Check your installed version

All known vulnerabilities

  • HIGH8.9CVE-2026-23527h3 v1 has Request Smuggling (TE.TE) issue
    from 0, < 1.15.5
  • HIGH7.5CVE-2026-33128h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
    >= 2.0.0, < 2.0.1-rc.15
  • HIGH7.4CVE-2026-33131h3 has a middleware bypass with one gadget
    >= 2.0.0-0, < 2.0.1-rc.15
  • MEDIUM5.9CVE-2026-33129h3 has an observable timing discrepancy in basic auth utils
    >= 2.0.0-beta.0, < 2.0.1-rc.9
  • LOW3.7CVE-2026-33490h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
    >= 2.0.1-alpha.0, < 2.0.1-rc.17