Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/40684?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/40684?format=api", "purl": "pkg:npm/hono@4.12.7", "type": "npm", "namespace": "", "name": "hono", "version": "4.12.7", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.12.18", "latest_non_vulnerable_version": "4.12.21", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/68028?format=api", "vulnerability_id": "VCID-3d6m-3rha-dkc2", "summary": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 200 instead of 413. This vulnerability is fixed in 4.12.16.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44456", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.0194", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01936", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01939", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44456" }, { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44456", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44456" }, { "reference_url": "https://github.com/advisories/GHSA-9vqf-7f2p-gf9v", "reference_id": "GHSA-9vqf-7f2p-gf9v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9vqf-7f2p-gf9v" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-9vqf-7f2p-gf9v", "reference_id": "GHSA-9vqf-7f2p-gf9v", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T15:31:08Z/" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-9vqf-7f2p-gf9v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375696?format=api", "purl": "pkg:npm/hono@4.12.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7xab-d7wk-83c5" }, { "vulnerability": "VCID-mfkw-vtvw-bqas" }, { "vulnerability": "VCID-zf4g-8fjt-qke8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.16" } ], "aliases": [ "CVE-2026-44456", "GHSA-9vqf-7f2p-gf9v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3d6m-3rha-dkc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359295?format=api", "vulnerability_id": "VCID-7xab-d7wk-83c5", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44459", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0606", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06083", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06074", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44459" }, { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44459", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44459" }, { "reference_url": "https://github.com/advisories/GHSA-hm8q-7f3q-5f36", "reference_id": "GHSA-hm8q-7f3q-5f36", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hm8q-7f3q-5f36" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375796?format=api", "purl": "pkg:npm/hono@4.12.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.18" } ], "aliases": [ "CVE-2026-44459", "GHSA-hm8q-7f3q-5f36" ], "risk_score": 1.7, "exploitability": "0.5", "weighted_severity": "3.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7xab-d7wk-83c5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73093?format=api", "vulnerability_id": "VCID-9xtz-up2w-mqdh", "summary": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39407", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06268", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06257", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06246", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39407" }, { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39407", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39407" }, { "reference_url": "https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c", "reference_id": "9aff14bd727f8b0435c963363fd803260e7b8e3c", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:04:53Z/" } ], "url": "https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c" }, { "reference_url": "https://github.com/advisories/GHSA-wmmm-f939-6g9c", "reference_id": "GHSA-wmmm-f939-6g9c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wmmm-f939-6g9c" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c", "reference_id": "GHSA-wmmm-f939-6g9c", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:04:53Z/" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c" }, { "reference_url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "reference_id": "v4.12.12", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:04:53Z/" } ], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373301?format=api", "purl": "pkg:npm/hono@4.12.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3d6m-3rha-dkc2" }, { "vulnerability": "VCID-7xab-d7wk-83c5" }, { "vulnerability": "VCID-dy2t-qdtz-d3a1" }, { "vulnerability": "VCID-e479-yqm3-wkg4" }, { "vulnerability": "VCID-mfkw-vtvw-bqas" }, { "vulnerability": "VCID-zf4g-8fjt-qke8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.12" } ], "aliases": [ "CVE-2026-39407", "GHSA-wmmm-f939-6g9c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9xtz-up2w-mqdh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359803?format=api", "vulnerability_id": "VCID-ajhs-ueyw-pfbz", "summary": "Hono missing validation of cookie name on write path in setCookie()\n## Summary\n\nCookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers.\n\nWhile certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters.\n\nThis results in inconsistent handling of cookie names between parsing (read path) and serialization (write path).\n\n## Details\n\nWhen applications use `setCookie()`, `serialize()`, or `serializeSigned()` with a user-controlled cookie name, invalid values (e.g., containing control characters such as `\\r` or `\\n`) can be used to construct malformed `Set-Cookie` header values.\n\nFor example:\n\n```\nSet-Cookie: legit\nX-Injected: evil=value\n```\n\nHowever, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent.\n\nAs a result, the reported header injection / response splitting behavior could not be reproduced in these environments.\n\n## Impact\n\nApplications that pass untrusted input as the cookie name to `setCookie()`, `serialize()`, or `serializeSigned()` may encounter runtime errors due to invalid header values.\n\nIn tested environments, malformed `Set-Cookie` headers are rejected before being sent, and the reported header injection behavior could not be reproduced.\n\nThis issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability.", "references": [ { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm" }, { "reference_url": "https://github.com/advisories/GHSA-26pp-8wgv-hjvm", "reference_id": "GHSA-26pp-8wgv-hjvm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-26pp-8wgv-hjvm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373301?format=api", "purl": "pkg:npm/hono@4.12.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3d6m-3rha-dkc2" }, { "vulnerability": "VCID-7xab-d7wk-83c5" }, { "vulnerability": "VCID-dy2t-qdtz-d3a1" }, { "vulnerability": "VCID-e479-yqm3-wkg4" }, { "vulnerability": "VCID-mfkw-vtvw-bqas" }, { "vulnerability": "VCID-zf4g-8fjt-qke8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.12" } ], "aliases": [ "GHSA-26pp-8wgv-hjvm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ajhs-ueyw-pfbz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359907?format=api", "vulnerability_id": "VCID-dy2t-qdtz-d3a1", "summary": "hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR\n## Summary\n\nImproper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output.\n\nWhen untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries and inject unintended HTML.\n\n## Details\n\nWhen rendering JSX elements to HTML strings, attribute values are escaped, but attribute names (keys) were previously inserted into the output without validation.\n\nIf an attribute name contains characters such as `\"`, `>`, or whitespace, it can alter the structure of the generated HTML.\n\nFor example, malformed attribute names can:\n\n* Break out of the current attribute and introduce unintended additional attributes\n* Break out of the current HTML tag and inject new elements into the output\n\nThis issue arises when untrusted input (such as query parameters or form data) is used as JSX attribute keys during server-side rendering.\n\n## Impact\n\nAn attacker who can control attribute keys used in JSX rendering may inject unintended attributes or HTML elements into the generated output.\n\nThis may lead to:\n\n* Injection of unexpected HTML attributes\n* Corruption of the HTML structure\n* Potential cross-site scripting (XSS) if combined with unsafe usage patterns\n\nThis issue affects applications that pass untrusted input as JSX attribute keys during server-side rendering.", "references": [ { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-458j-xx4x-4375", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-458j-xx4x-4375" }, { "reference_url": "https://github.com/advisories/GHSA-458j-xx4x-4375", "reference_id": "GHSA-458j-xx4x-4375", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-458j-xx4x-4375" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374085?format=api", "purl": "pkg:npm/hono@4.12.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3d6m-3rha-dkc2" }, { "vulnerability": "VCID-7xab-d7wk-83c5" }, { "vulnerability": "VCID-e479-yqm3-wkg4" }, { "vulnerability": "VCID-mfkw-vtvw-bqas" }, { "vulnerability": "VCID-zf4g-8fjt-qke8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.14" } ], "aliases": [ "GHSA-458j-xx4x-4375" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dy2t-qdtz-d3a1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/72792?format=api", "vulnerability_id": "VCID-e3g1-j76d-ebes", "summary": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39410", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09166", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09224", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09222", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39410" }, { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39410", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39410" }, { "reference_url": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0", "reference_id": "cc067c85592415cb1880ad3c61ed923472452ec0", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:17:07Z/" } ], "url": "https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0" }, { "reference_url": "https://github.com/advisories/GHSA-r5rp-j6wh-rvv4", "reference_id": "GHSA-r5rp-j6wh-rvv4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r5rp-j6wh-rvv4" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4", "reference_id": "GHSA-r5rp-j6wh-rvv4", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:17:07Z/" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4" }, { "reference_url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "reference_id": "v4.12.12", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:17:07Z/" } ], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373301?format=api", "purl": "pkg:npm/hono@4.12.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3d6m-3rha-dkc2" }, { "vulnerability": "VCID-7xab-d7wk-83c5" }, { "vulnerability": "VCID-dy2t-qdtz-d3a1" }, { "vulnerability": "VCID-e479-yqm3-wkg4" }, { "vulnerability": "VCID-mfkw-vtvw-bqas" }, { "vulnerability": "VCID-zf4g-8fjt-qke8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.12" } ], "aliases": [ "CVE-2026-39410", "GHSA-r5rp-j6wh-rvv4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e3g1-j76d-ebes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67719?format=api", "vulnerability_id": "VCID-e479-yqm3-wkg4", "summary": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44455", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10049", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09994", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10044", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44455" }, { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44455", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44455" }, { "reference_url": "https://github.com/advisories/GHSA-69xw-7hcm-h432", "reference_id": "GHSA-69xw-7hcm-h432", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-69xw-7hcm-h432" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-69xw-7hcm-h432", "reference_id": "GHSA-69xw-7hcm-h432", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T13:45:57Z/" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-69xw-7hcm-h432" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375696?format=api", "purl": "pkg:npm/hono@4.12.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7xab-d7wk-83c5" }, { "vulnerability": "VCID-mfkw-vtvw-bqas" }, { "vulnerability": "VCID-zf4g-8fjt-qke8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.16" } ], "aliases": [ "CVE-2026-44455", "GHSA-69xw-7hcm-h432" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e479-yqm3-wkg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67626?format=api", "vulnerability_id": "VCID-mfkw-vtvw-bqas", "summary": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44458", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13527", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13407", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13523", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44458" }, { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44458", "reference_id": "CVE-2026-44458", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44458" }, { "reference_url": "https://github.com/advisories/GHSA-qp7p-654g-cw7p", "reference_id": "GHSA-qp7p-654g-cw7p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qp7p-654g-cw7p" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-qp7p-654g-cw7p", "reference_id": "GHSA-qp7p-654g-cw7p", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T16:00:00Z/" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-qp7p-654g-cw7p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375796?format=api", "purl": "pkg:npm/hono@4.12.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.18" } ], "aliases": [ "CVE-2026-44458", "GHSA-qp7p-654g-cw7p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mfkw-vtvw-bqas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/72878?format=api", "vulnerability_id": "VCID-q2gc-djt2-a3e9", "summary": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39408", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04404", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04394", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04409", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39408" }, { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39408", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39408" }, { "reference_url": "https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679", "reference_id": "b470278920fffcfd6d76002755d6db53db827679", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:31:12Z/" } ], "url": "https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679" }, { "reference_url": "https://github.com/advisories/GHSA-xf4j-xp2r-rqqx", "reference_id": "GHSA-xf4j-xp2r-rqqx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xf4j-xp2r-rqqx" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx", "reference_id": "GHSA-xf4j-xp2r-rqqx", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:31:12Z/" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx" }, { "reference_url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "reference_id": "v4.12.12", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:31:12Z/" } ], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373301?format=api", "purl": "pkg:npm/hono@4.12.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3d6m-3rha-dkc2" }, { "vulnerability": "VCID-7xab-d7wk-83c5" }, { "vulnerability": "VCID-dy2t-qdtz-d3a1" }, { "vulnerability": "VCID-e479-yqm3-wkg4" }, { "vulnerability": "VCID-mfkw-vtvw-bqas" }, { "vulnerability": "VCID-zf4g-8fjt-qke8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.12" } ], "aliases": [ "CVE-2026-39408", "GHSA-xf4j-xp2r-rqqx" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q2gc-djt2-a3e9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73180?format=api", "vulnerability_id": "VCID-uwfg-jrfw-s7cc", "summary": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39409", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02359", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02366", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02368", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39409" }, { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39409", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39409" }, { "reference_url": "https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39", "reference_id": "48fa2233bc092f650119f42df043050737cabf39", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:08:52Z/" } ], "url": "https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39" }, { "reference_url": "https://github.com/advisories/GHSA-xpcf-pg52-r92g", "reference_id": "GHSA-xpcf-pg52-r92g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xpcf-pg52-r92g" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-xpcf-pg52-r92g", "reference_id": "GHSA-xpcf-pg52-r92g", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:08:52Z/" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-xpcf-pg52-r92g" }, { "reference_url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "reference_id": "v4.12.12", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:08:52Z/" } ], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373301?format=api", "purl": "pkg:npm/hono@4.12.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3d6m-3rha-dkc2" }, { "vulnerability": "VCID-7xab-d7wk-83c5" }, { "vulnerability": "VCID-dy2t-qdtz-d3a1" }, { "vulnerability": "VCID-e479-yqm3-wkg4" }, { "vulnerability": "VCID-mfkw-vtvw-bqas" }, { "vulnerability": "VCID-zf4g-8fjt-qke8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.12" } ], "aliases": [ "CVE-2026-39409", "GHSA-xpcf-pg52-r92g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uwfg-jrfw-s7cc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67696?format=api", "vulnerability_id": "VCID-zf4g-8fjt-qke8", "summary": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44457", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11836", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11751", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11837", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44457" }, { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44457", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44457" }, { "reference_url": "https://github.com/advisories/GHSA-p77w-8qqv-26rm", "reference_id": "GHSA-p77w-8qqv-26rm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p77w-8qqv-26rm" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm", "reference_id": "GHSA-p77w-8qqv-26rm", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-18T14:06:33Z/" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375796?format=api", "purl": "pkg:npm/hono@4.12.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.18" } ], "aliases": [ "CVE-2026-44457", "GHSA-p77w-8qqv-26rm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zf4g-8fjt-qke8" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212808?format=api", "vulnerability_id": "VCID-hghf-rym3-3ufa", "summary": "Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })", "references": [ { "reference_url": "https://github.com/honojs/hono", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono" }, { "reference_url": "https://github.com/honojs/hono/commit/ef902257e0beacbb83d2a9549b3b83e03514a6fe", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono/commit/ef902257e0beacbb83d2a9549b3b83e03514a6fe" }, { "reference_url": "https://github.com/advisories/GHSA-v8w9-8mx6-g223", "reference_id": "GHSA-v8w9-8mx6-g223", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v8w9-8mx6-g223" }, { "reference_url": "https://github.com/honojs/hono/security/advisories/GHSA-v8w9-8mx6-g223", "reference_id": "GHSA-v8w9-8mx6-g223", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/hono/security/advisories/GHSA-v8w9-8mx6-g223" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40684?format=api", "purl": "pkg:npm/hono@4.12.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3d6m-3rha-dkc2" }, { "vulnerability": "VCID-7xab-d7wk-83c5" }, { "vulnerability": "VCID-9xtz-up2w-mqdh" }, { "vulnerability": "VCID-ajhs-ueyw-pfbz" }, { "vulnerability": "VCID-dy2t-qdtz-d3a1" }, { "vulnerability": "VCID-e3g1-j76d-ebes" }, { "vulnerability": "VCID-e479-yqm3-wkg4" }, { "vulnerability": "VCID-mfkw-vtvw-bqas" }, { "vulnerability": "VCID-q2gc-djt2-a3e9" }, { "vulnerability": "VCID-uwfg-jrfw-s7cc" }, { "vulnerability": "VCID-zf4g-8fjt-qke8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.7" } ], "aliases": [ "GHSA-v8w9-8mx6-g223" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hghf-rym3-3ufa" } ], "risk_score": "3.4", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.7" }