{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-16T20:08:06.010","vulnerabilities":[{"cve":{"id":"CVE-2026-33490","sourceIdentifier":"security-advisories@github.com","published":"2026-03-26T18:16:30.237","lastModified":"2026-03-31T21:00:13.690","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags. Version 2.0.2-rc.17 contains a patch."},{"lang":"es","value":"H3 es un framework H(TTP) mínimo. En las versiones 2.0.0-0 hasta la 2.0.1-rc.16, el método 'mount()' en h3 usa una simple verificación 'startsWith()' para determinar si las solicitudes entrantes caen bajo el prefijo de ruta de una subaplicación montada. Debido a que esta verificación no verifica un límite de segmento de ruta (es decir, que el siguiente carácter después de la base es '/' o el final de la cadena), el middleware registrado en un montaje como '/admin' también se ejecutará para rutas no relacionadas como '/admin-public', '/administrator' o '/adminstuff'. Esto permite a un atacante activar middleware de configuración de contexto en rutas que nunca se pretendió cubrir, potencialmente contaminando el contexto de la solicitud con indicadores de privilegio no deseados. La versión 2.0.2-rc.17 contiene un parche."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-706"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc1:*:*:*:node.js:*:*","matchCriteriaId":"910077BC-C84C-4CAB-A0A5-761047F6F43C"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc10:*:*:*:node.js:*:*","matchCriteriaId":"603A08FC-B20B-4693-90A1-0BF5F08B43AC"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc11:*:*:*:node.js:*:*","matchCriteriaId":"BCC5ECF0-0EED-48BC-95FA-1D2671A971A9"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc12:*:*:*:node.js:*:*","matchCriteriaId":"BCCBE75E-DCF6-45FD-B57E-F8E2ADE3129F"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc13:*:*:*:node.js:*:*","matchCriteriaId":"3B66082C-3F3E-4BC6-9543-A2F9CFE3AAC6"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc14:*:*:*:node.js:*:*","matchCriteriaId":"3D1C9D7B-3CE4-427B-93B4-EAF867159AFB"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc15:*:*:*:node.js:*:*","matchCriteriaId":"5AE7D8A6-4506-418A-ABA4-C820A1DA7E7F"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc16:*:*:*:node.js:*:*","matchCriteriaId":"281715D9-6C86-4D4E-9833-C18A8CABD05A"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc2:*:*:*:node.js:*:*","matchCriteriaId":"C5E7779A-00CA-45E7-8F68-1DAB5388ED4A"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc3:*:*:*:node.js:*:*","matchCriteriaId":"064C21F5-8633-45F3-9A3D-3FB029A867B9"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc4:*:*:*:node.js:*:*","matchCriteriaId":"DDBC1DFD-8063-4AE1-92D8-B3B33735FEF0"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc5:*:*:*:node.js:*:*","matchCriteriaId":"496314A3-8F2B-4274-9D0D-7F11E896FEA5"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc6:*:*:*:node.js:*:*","matchCriteriaId":"35F49342-D52C-4762-9369-F380C5E7E0B5"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc7:*:*:*:node.js:*:*","matchCriteriaId":"D11CA1A7-3141-46EA-9687-32C333FC7B0C"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc8:*:*:*:node.js:*:*","matchCriteriaId":"A4A6FD03-5DE5-4D73-9FF3-BB653302C60B"},{"vulnerable":true,"criteria":"cpe:2.3:a:h3:h3:2.0.1:rc9:*:*:*:node.js:*:*","matchCriteriaId":"5E404148-6862-44F5-961D-10E8A742A4B6"}]}]}],"references":[{"url":"https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}