Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-29085 is a medium severity vulnerability with a CVSS score of 6.5. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
When using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters.
Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.
The SSE helper builds event frames by joining lines with \n. While multi-line data: fields are handled according to the SSE specification, the event, id, and retry fields previously allowed raw values without rejecting embedded CR/LF characters.
Including CR/LF in these control fields could allow unintended additional fields (such as data:, id:, or retry:) to be injected into the event stream.
The issue has been fixed by rejecting CR/LF characters in these fields.
An attacker could manipulate the structure of SSE event frames if an application passed user-controlled input directly into event, id, or retry.
Depending on application behavior, this could result in injected SSE fields or altered event stream handling. Applications that render e.data in an unsafe manner (for example, using innerHTML) could potentially expose themselves to client-side script injection.
This issue affects applications that rely on the SSE helper to enforce protocol-level constraints.
| Vendor | Product |
|---|---|
| Hono | Hono |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.