CVE-2026-35515

medium Red Hat
CVSS v3 Base Score
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Score
0.0%
Exploitation probability in 30 days
Top 98% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
Low
Availability
Low
Published: April 7, 2026 (94 days ago)
Last Modified: April 7, 2026
Vendor: Red Hat
Source: REDHAT

Description

A flaw was found in Nest, a framework for building Node.js server-side applications. An attacker can exploit a vulnerability in the `SseStream._transform()` function by injecting newline characters into `message.type` and `message.id` fields. This allows the attacker to inject arbitrary Server-Sent Events (SSE), spoof event types, and corrupt the reconnection state, potentially leading to unexpected application behavior or denial of service.

CWE

CWE-93

Affected Products

Red Hat Developer HubRed Hat OpenShift Container Platform 4

References