CVE-2026-44214

Name of the Vulnerable Software and Affected Versions eventsource-encoder versions prior to 1.0.2

Description The software fails to sanitize the event and id fields of an EventSourceMessage before serialization in the encodeMessage() function. An attacker who controls these fields can inject Server-Sent Events (SSE) line terminators ( , r, or r ), allowing them to forge additional SSE fields or entire messages on the stream. This can lead to spoofing events of arbitrary types, injecting fields such as data:, id:, or retry:, splitting a single encoding call into multiple browser events, or overriding the client's Last-Event-ID.

Recommendations Update to version 1.0.2. As a temporary workaround, validate or strip line terminators from any untrusted value before passing it to the encode or encodeMessage() functions.