CVE-2026-33490

A flaw was found in H3, a minimal HTTP framework. The `mount()` method, responsible for routing requests to sub-applications, incorrectly uses a simple string comparison to check path prefixes. This allows a remote attacker to craft a URL that bypasses the intended path segment boundary. Consequently, middleware designed for specific administrative paths could be triggered for unrelated public paths, potentially leading to the exposure of sensitive information or unintended access due to incorrect privilege flags being set in the request context.