{"url":"http://public2.vulnerablecode.io/api/packages/733456?format=json","purl":"pkg:npm/hono@4.0.3","type":"npm","namespace":"","name":"hono","version":"4.0.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.12.18","latest_non_vulnerable_version":"4.12.21","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50851?format=json","vulnerability_id":"VCID-1xec-9tx6-xqdv","summary":"Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })\nWhen using `parseBody({ dot: true })` in HonoRequest, specially crafted form field names such as `__proto__.x` could create objects containing a `__proto__` property.\n\nIf the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the target object.","references":[{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/ef902257e0beacbb83d2a9549b3b83e03514a6fe","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/commit/ef902257e0beacbb83d2a9549b3b83e03514a6fe"},{"reference_url":"https://github.com/advisories/GHSA-v8w9-8mx6-g223","reference_id":"GHSA-v8w9-8mx6-g223","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v8w9-8mx6-g223"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-v8w9-8mx6-g223","reference_id":"GHSA-v8w9-8mx6-g223","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-v8w9-8mx6-g223"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74764?format=json","purl":"pkg:npm/hono@4.12.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.7"}],"aliases":["GHSA-v8w9-8mx6-g223"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1xec-9tx6-xqdv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49684?format=json","vulnerability_id":"VCID-2qtp-svb7-jfej","summary":"Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks \"alg\" (untrusted header.alg fallback)\nA flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22818","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06095","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06073","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.0612","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06124","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06136","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22818"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-15T15:29:32Z/"}],"url":"https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22818","reference_id":"CVE-2026-22818","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22818"},{"reference_url":"https://github.com/advisories/GHSA-3vhc-576x-3qv4","reference_id":"GHSA-3vhc-576x-3qv4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3vhc-576x-3qv4"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4","reference_id":"GHSA-3vhc-576x-3qv4","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-15T15:29:32Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73317?format=json","purl":"pkg:npm/hono@4.11.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-8j4n-5v7n-rkh4"},{"vulnerability":"VCID-bpdk-sg2k-eyax"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-pqsz-m7n1-3uee"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-xqdr-fjdf-d7b4"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.11.4"}],"aliases":["CVE-2026-22818","GHSA-3vhc-576x-3qv4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2qtp-svb7-jfej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89401?format=json","vulnerability_id":"VCID-3egq-e16y-5bez","summary":"Hono: Path traversal in toSSG() allows writing files outside the output directory\n## Summary\n\nA path traversal issue in `toSSG()` allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via `ssgParams`, specially crafted values can cause generated file paths to escape the intended output directory.\n\n## Details\n\nThe static site generation process creates output files based on route paths derived from application routes and parameters. When `ssgParams` is used to provide values for dynamic routes, those values are used to construct output file paths. If these values contain traversal sequences (e.g. `..`), the resulting output path may resolve outside the configured output directory. As a result, files may be written to unintended locations instead of being confined within the specified output directory.\n\nFor example:\n \n```ts\nimport { Hono } from 'hono'\nimport { toSSG, ssgParams } from 'hono/ssg'\n\nconst app = new Hono()\n\napp.get('/:id', ssgParams([{ id: '../pwned' }]), (c) => {\n  return c.text('pwned')\n})\n\ntoSSG(app, fs, { dir: './static' })\n```\n\nIn this case, the generated output path may resolve outside `./static`, resulting in a file being written outside the intended output directory.\n\n## Impact\n\nAn attacker who can influence values passed to `ssgParams` during the build process may be able to write files outside the intended output directory.\n\nDepending on the build and deployment environment, this may:\n\n* overwrite unintended files\n* affect generated artifacts\n* impact deployment outputs or downstream tooling\n\nThis issue is limited to build-time static site generation and does not affect request-time routing.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39408","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.0439","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04377","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04357","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04404","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04416","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39408"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:31:12Z/"}],"url":"https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679"},{"reference_url":"https://github.com/honojs/hono/releases/tag/v4.12.12","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:31:12Z/"}],"url":"https://github.com/honojs/hono/releases/tag/v4.12.12"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:31:12Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39408","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39408"},{"reference_url":"https://github.com/advisories/GHSA-xf4j-xp2r-rqqx","reference_id":"GHSA-xf4j-xp2r-rqqx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xf4j-xp2r-rqqx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109911?format=json","purl":"pkg:npm/hono@4.12.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-rkaj-xp28-aycv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.12"}],"aliases":["CVE-2026-39408","GHSA-xf4j-xp2r-rqqx"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3egq-e16y-5bez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56021?format=json","vulnerability_id":"VCID-5a44-yk5e-eufr","summary":"Hono allows bypass of CSRF Middleware by a request without Content-Type header.\nBypass CSRF Middleware by a request without Content-Type herader.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48913","reference_id":"","reference_type":"","scores":[{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46491","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46454","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46444","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.4647","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46489","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48913"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T16:14:46Z/"}],"url":"https://github.com/honojs/hono/blob/cebf4e87f3984a6a034e60a43f542b4c5225b668/src/middleware/csrf/index.ts#L76-L89"},{"reference_url":"https://github.com/honojs/hono/commit/aa50e0ab77b5af8c53c50fe3b271892f8eeeea82","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T16:14:46Z/"}],"url":"https://github.com/honojs/hono/commit/aa50e0ab77b5af8c53c50fe3b271892f8eeeea82"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48913","reference_id":"CVE-2024-48913","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48913"},{"reference_url":"https://github.com/advisories/GHSA-2234-fmw7-43wr","reference_id":"GHSA-2234-fmw7-43wr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2234-fmw7-43wr"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-2234-fmw7-43wr","reference_id":"GHSA-2234-fmw7-43wr","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T16:14:46Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-2234-fmw7-43wr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82965?format=json","purl":"pkg:npm/hono@4.6.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-2qtp-svb7-jfej"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-8j4n-5v7n-rkh4"},{"vulnerability":"VCID-b9q6-pv4d-8uej"},{"vulnerability":"VCID-bpdk-sg2k-eyax"},{"vulnerability":"VCID-cw64-5xy1-7ycu"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-p49f-jmyh-xydd"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-pqsz-m7n1-3uee"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-sxbx-z5t4-gygt"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-xqdr-fjdf-d7b4"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.6.5"}],"aliases":["CVE-2024-48913","GHSA-2234-fmw7-43wr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5a44-yk5e-eufr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92899?format=json","vulnerability_id":"VCID-5p4q-brb6-bkgy","summary":"Hono: bodyLimit() can be bypassed for chunked / unknown-length requests\n## Summary\n\n`bodyLimit()` does not reliably enforce `maxSize` for requests without a usable `Content-Length` (e.g. `Transfer-Encoding: chunked`). Oversized requests can reach handlers and return `200` instead of `413`.\n\n## Details\n\nFor chunked / unknown-length requests, `bodyLimit()` wraps the body in a stream that counts bytes asynchronously, then runs the handler before the size decision is final. The `413` is only applied afterwards by checking `c.error`.\n\nThis lets the limit be bypassed when:\n\n- the handler does not read the body,\n- the handler reads only the first chunk(s) and returns, or\n- the handler reads the body but swallows the read error in `try/catch`.\n\nIn all three cases the handler returns `200` before the limit check completes (or its result is observed).\n\nThe fix is to enforce the size decision before `next()` runs, instead of retrofitting the response via `c.error` afterwards.\n\n## Impact\n\nApplications relying on `bodyLimit()` as a hard boundary can be bypassed: oversized chunked requests can reach handler logic and return successful responses. Per-request data exposure is bounded by `maxSize`, but the documented guarantee — \"oversized requests are rejected before business logic runs\" — does not hold.\n\n## Credits\n\n- @lalalala5678 (slow chunked / early return variants)\n- @Jvr2022 (error handling bypass)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44456","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01933","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01956","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01964","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01954","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.0194","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44456"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-9vqf-7f2p-gf9v","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T15:31:08Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-9vqf-7f2p-gf9v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44456","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44456"},{"reference_url":"https://github.com/advisories/GHSA-9vqf-7f2p-gf9v","reference_id":"GHSA-9vqf-7f2p-gf9v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9vqf-7f2p-gf9v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/116015?format=json","purl":"pkg:npm/hono@4.12.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-rkaj-xp28-aycv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.16"}],"aliases":["CVE-2026-44456","GHSA-9vqf-7f2p-gf9v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5p4q-brb6-bkgy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50666?format=json","vulnerability_id":"VCID-5p8b-jvgn-mugv","summary":"Hono vulnerable to arbitrary file access via serveStatic vulnerability\nWhen using `serveStatic` together with route-based middleware protections (e.g. `app.use('/admin/*', ...)`), inconsistent URL decoding allowed protected static resources to be accessed without authorization.\n\nThe router used `decodeURI`, while `serveStatic` used `decodeURIComponent`. This mismatch allowed paths containing encoded slashes (`%2F`) to bypass middleware protections while still resolving to the intended filesystem path.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29045","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15923","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15858","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15836","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15965","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15975","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29045"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-05T15:39:29Z/"}],"url":"https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29045","reference_id":"CVE-2026-29045","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29045"},{"reference_url":"https://github.com/advisories/GHSA-q5qw-h33p-qvwr","reference_id":"GHSA-q5qw-h33p-qvwr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q5qw-h33p-qvwr"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr","reference_id":"GHSA-q5qw-h33p-qvwr","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-05T15:39:29Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74434?format=json","purl":"pkg:npm/hono@4.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.4"}],"aliases":["CVE-2026-29045","GHSA-q5qw-h33p-qvwr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5p8b-jvgn-mugv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95711?format=json","vulnerability_id":"VCID-7je8-dyg1-6uhg","summary":"Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage\n### Summary\n\nCache Middleware does not skip caching for responses that declare per-user variance via `Vary: Authorization` or `Vary: Cookie`. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.\n\n### Details\n\nThe Cache Middleware skips caching when a response carries `Vary: *`, certain `Cache-Control` directives (`private`, `no-store`, `no-cache`), or `Set-Cookie`. However, `Vary: Authorization` and `Vary: Cookie` — the standard signals defined in RFC 9110 / RFC 9111 to indicate per-user responses — are not treated as cache-skip reasons.\n\nThis issue arises when applications use the Cache Middleware on endpoints that return user-specific data and rely on `Vary: Authorization` or `Vary: Cookie` to scope the response per user, without also setting `Cache-Control: private`.\n\n### Impact\n\nA user may receive a cached response that was originally generated for a different authenticated user. This may lead to:\n\n- Disclosure of personally identifiable information or other user-specific data present in the response body\n- Inconsistent or incorrect behavior in user-specific endpoints\n\nThis issue affects applications that use the Cache Middleware on endpoints whose responses vary by `Authorization` or `Cookie` and that do not also set `Cache-Control: private`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44457","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11676","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11788","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11782","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11747","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11666","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44457"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-18T14:06:33Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-p77w-8qqv-26rm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44457","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44457"},{"reference_url":"https://github.com/advisories/GHSA-p77w-8qqv-26rm","reference_id":"GHSA-p77w-8qqv-26rm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p77w-8qqv-26rm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/116981?format=json","purl":"pkg:npm/hono@4.12.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.18"}],"aliases":["CVE-2026-44457","GHSA-p77w-8qqv-26rm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7je8-dyg1-6uhg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94417?format=json","vulnerability_id":"VCID-7mp8-4jr7-2uan","summary":"Hono has CSS Declaration Injection via Style Object Values in JSX SSR\n### Summary\n\nThe JSX renderer escapes `style` attribute object values for HTML but not for CSS. Untrusted input in a `style` object value or property name can therefore inject additional CSS declarations into the rendered `style` attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.\n\n### Details\n\n`style` object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as `;`, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property.\n\nThis issue arises when untrusted input is interpolated into a JSX `style` object and rendered server-side.\n\n### Impact\n\nAn attacker who can control the value or property name of a `style` object may inject arbitrary CSS declarations. This may lead to:\n\n- Visual manipulation of the page, including full-viewport overlays usable for phishing\n- Outbound requests to attacker-controlled hosts via CSS resource references such as `url(...)`\n- Hijacking of UI affordances through layout, positioning, or visibility changes\n\nThis issue affects applications that render JSX on the server with `style` object values or property names derived from untrusted input.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44458","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13324","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13409","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13414","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13373","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13293","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44458"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-qp7p-654g-cw7p","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T16:00:00Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-qp7p-654g-cw7p"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44458","reference_id":"CVE-2026-44458","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44458"},{"reference_url":"https://github.com/advisories/GHSA-qp7p-654g-cw7p","reference_id":"GHSA-qp7p-654g-cw7p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qp7p-654g-cw7p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/116981?format=json","purl":"pkg:npm/hono@4.12.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.18"}],"aliases":["CVE-2026-44458","GHSA-qp7p-654g-cw7p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7mp8-4jr7-2uan"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49866?format=json","vulnerability_id":"VCID-8j4n-5v7n-rkh4","summary":"Hono cache middleware ignores \"Cache-Control: private\" leading to Web Cache Deception\nCache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24472","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03708","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03743","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.0374","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.0372","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03731","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24472"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-27T20:36:35Z/"}],"url":"https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1"},{"reference_url":"https://github.com/honojs/hono/releases/tag/v4.11.7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-27T20:36:35Z/"}],"url":"https://github.com/honojs/hono/releases/tag/v4.11.7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24472","reference_id":"CVE-2026-24472","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24472"},{"reference_url":"https://github.com/advisories/GHSA-6wqw-2p9w-4vw4","reference_id":"GHSA-6wqw-2p9w-4vw4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6wqw-2p9w-4vw4"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4","reference_id":"GHSA-6wqw-2p9w-4vw4","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-27T20:36:35Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73634?format=json","purl":"pkg:npm/hono@4.11.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.11.7"}],"aliases":["CVE-2026-24472","GHSA-6wqw-2p9w-4vw4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8j4n-5v7n-rkh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58174?format=json","vulnerability_id":"VCID-b9q6-pv4d-8uej","summary":"Hono has Body Limit Middleware Bypass\nA flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59139","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.1381","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13781","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16738","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16697","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16735","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59139"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/605c70560b52f13af10379f79b76717042fafe8d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:43:41Z/"}],"url":"https://github.com/honojs/hono/commit/605c70560b52f13af10379f79b76717042fafe8d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59139","reference_id":"CVE-2025-59139","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59139"},{"reference_url":"https://github.com/advisories/GHSA-92vj-g62v-jqhh","reference_id":"GHSA-92vj-g62v-jqhh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-92vj-g62v-jqhh"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-92vj-g62v-jqhh","reference_id":"GHSA-92vj-g62v-jqhh","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T13:43:41Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-92vj-g62v-jqhh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86583?format=json","purl":"pkg:npm/hono@4.9.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-2qtp-svb7-jfej"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-8j4n-5v7n-rkh4"},{"vulnerability":"VCID-bpdk-sg2k-eyax"},{"vulnerability":"VCID-cw64-5xy1-7ycu"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-p49f-jmyh-xydd"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-pqsz-m7n1-3uee"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-sxbx-z5t4-gygt"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-xqdr-fjdf-d7b4"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.9.7"}],"aliases":["CVE-2025-59139","GHSA-92vj-g62v-jqhh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b9q6-pv4d-8uej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49856?format=json","vulnerability_id":"VCID-bpdk-sg2k-eyax","summary":"Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)\nServe static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24473","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03743","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.0374","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.0372","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03708","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03731","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24473"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T20:36:20Z/"}],"url":"https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817"},{"reference_url":"https://github.com/honojs/hono/releases/tag/v4.11.7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T20:36:20Z/"}],"url":"https://github.com/honojs/hono/releases/tag/v4.11.7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24473","reference_id":"CVE-2026-24473","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24473"},{"reference_url":"https://github.com/advisories/GHSA-w332-q679-j88p","reference_id":"GHSA-w332-q679-j88p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w332-q679-j88p"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p","reference_id":"GHSA-w332-q679-j88p","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T20:36:20Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73634?format=json","purl":"pkg:npm/hono@4.11.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.11.7"}],"aliases":["CVE-2026-24473","GHSA-w332-q679-j88p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bpdk-sg2k-eyax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47541?format=json","vulnerability_id":"VCID-cmve-n666-m3bc","summary":"Hono vulnerable to Restricted Directory Traversal in serveStatic with deno\nWhen using serveStatic with deno, it is possible to directory traverse where main.ts is located.\n\nMy environment is configured as per this tutorial\nhttps://hono.dev/getting-started/deno","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32869","reference_id":"","reference_type":"","scores":[{"value":"0.01668","scoring_system":"epss","scoring_elements":"0.82463","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01668","scoring_system":"epss","scoring_elements":"0.82469","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01668","scoring_system":"epss","scoring_elements":"0.82456","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01668","scoring_system":"epss","scoring_elements":"0.82465","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01668","scoring_system":"epss","scoring_elements":"0.82466","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32869"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-25T18:47:56Z/"}],"url":"https://github.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32869","reference_id":"CVE-2024-32869","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32869"},{"reference_url":"https://github.com/advisories/GHSA-3mpf-rcc7-5347","reference_id":"GHSA-3mpf-rcc7-5347","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3mpf-rcc7-5347"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347","reference_id":"GHSA-3mpf-rcc7-5347","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-25T18:47:56Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69858?format=json","purl":"pkg:npm/hono@4.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-2qtp-svb7-jfej"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5a44-yk5e-eufr"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-8j4n-5v7n-rkh4"},{"vulnerability":"VCID-b9q6-pv4d-8uej"},{"vulnerability":"VCID-bpdk-sg2k-eyax"},{"vulnerability":"VCID-cw64-5xy1-7ycu"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-nvea-y64p-b7eh"},{"vulnerability":"VCID-p49f-jmyh-xydd"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-pqsz-m7n1-3uee"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-sxbx-z5t4-gygt"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-xqdr-fjdf-d7b4"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.2.7"}],"aliases":["CVE-2024-32869","GHSA-3mpf-rcc7-5347"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cmve-n666-m3bc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48101?format=json","vulnerability_id":"VCID-cw64-5xy1-7ycu","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62610","reference_id":"","reference_type":"","scores":[{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18296","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.1824","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.1822","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18333","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18329","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62610"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66bef","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-23T17:31:39Z/"}],"url":"https://github.com/honojs/hono/commit/45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66bef"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62610","reference_id":"CVE-2025-62610","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62610"},{"reference_url":"https://github.com/advisories/GHSA-m732-5p4w-x69g","reference_id":"GHSA-m732-5p4w-x69g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m732-5p4w-x69g"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-m732-5p4w-x69g","reference_id":"GHSA-m732-5p4w-x69g","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-23T17:31:39Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-m732-5p4w-x69g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71058?format=json","purl":"pkg:npm/hono@4.10.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-2qtp-svb7-jfej"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-8j4n-5v7n-rkh4"},{"vulnerability":"VCID-bpdk-sg2k-eyax"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-p49f-jmyh-xydd"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-pqsz-m7n1-3uee"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-sxbx-z5t4-gygt"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-xqdr-fjdf-d7b4"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.10.2"}],"aliases":["CVE-2025-62610","GHSA-m732-5p4w-x69g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cw64-5xy1-7ycu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90257?format=json","vulnerability_id":"VCID-dv2s-3yxc-aqb9","summary":"Hono: Middleware bypass via repeated slashes in serveStatic\n## Summary\n\nA path handling inconsistency in `serveStatic` allows protected static files to be accessed by using repeated slashes (`//`) in the request path.\n\nWhen route-based middleware (e.g., `/admin/*`) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.\n\n## Details\n\nThe routing layer and `serveStatic` handle repeated slashes differently.\n\nFor example:\n\n```\n/admin/secret.txt => matches /admin/*\n/admin//secret.txt => may not match /admin/*\n```\n\nHowever, `serveStatic` may interpret both paths as the same file location (e.g., `admin/secret.txt`) and return the file.\n\nThis inconsistency allows a request such as:\n\n```\nGET //admin/secret.txt\n```\n\nto bypass middleware registered on `/admin/*` and access protected files.\n\nThe issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.\n\n## Impact\n\nAn attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.\n\nThis can lead to unauthorized access to sensitive files under the static root.\n\nThis issue affects applications that rely on serveStatic together with route-based middleware for access control.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39407","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06192","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06238","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06243","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06204","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06254","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39407"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:04:53Z/"}],"url":"https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c"},{"reference_url":"https://github.com/honojs/hono/releases/tag/v4.12.12","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:04:53Z/"}],"url":"https://github.com/honojs/hono/releases/tag/v4.12.12"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:04:53Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39407","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39407"},{"reference_url":"https://github.com/advisories/GHSA-wmmm-f939-6g9c","reference_id":"GHSA-wmmm-f939-6g9c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wmmm-f939-6g9c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109911?format=json","purl":"pkg:npm/hono@4.12.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-rkaj-xp28-aycv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.12"}],"aliases":["CVE-2026-39407","GHSA-wmmm-f939-6g9c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dv2s-3yxc-aqb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50246?format=json","vulnerability_id":"VCID-gj6p-bh4c-63bt","summary":"Hono added timing comparison hardening in basicAuth and bearerAuth\nThe `basicAuth` and `bearerAuth` middlewares previously used a comparison that was not fully timing-safe.\n\nThe `timingSafeEqual` function used normal string equality (`===`) when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing differences.\n\nThe implementation has been updated to use a safer comparison method.","references":[{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/91def7cab654bad5eecc9270e6620d577971ff5e","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/commit/91def7cab654bad5eecc9270e6620d577971ff5e"},{"reference_url":"https://github.com/honojs/hono/releases/tag/v4.11.10","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/releases/tag/v4.11.10"},{"reference_url":"https://github.com/advisories/GHSA-gq3j-xvxp-8hrf","reference_id":"GHSA-gq3j-xvxp-8hrf","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gq3j-xvxp-8hrf"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-gq3j-xvxp-8hrf","reference_id":"GHSA-gq3j-xvxp-8hrf","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-gq3j-xvxp-8hrf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74148?format=json","purl":"pkg:npm/hono@4.11.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.11.10"}],"aliases":["GHSA-gq3j-xvxp-8hrf"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gj6p-bh4c-63bt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89975?format=json","vulnerability_id":"VCID-hv86-v64n-n7ad","summary":"hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR\n## Summary\n\nImproper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output.\n\nWhen untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries and inject unintended HTML.\n\n## Details\n\nWhen rendering JSX elements to HTML strings, attribute values are escaped, but attribute names (keys) were previously inserted into the output without validation.\n\nIf an attribute name contains characters such as `\"`, `>`, or whitespace, it can alter the structure of the generated HTML.\n\nFor example, malformed attribute names can:\n\n* Break out of the current attribute and introduce unintended additional attributes\n* Break out of the current HTML tag and inject new elements into the output\n\nThis issue arises when untrusted input (such as query parameters or form data) is used as JSX attribute keys during server-side rendering.\n\n## Impact\n\nAn attacker who can control attribute keys used in JSX rendering may inject unintended attributes or HTML elements into the generated output.\n\nThis may lead to:\n\n* Injection of unexpected HTML attributes\n* Corruption of the HTML structure\n* Potential cross-site scripting (XSS) if combined with unsafe usage patterns\n\nThis issue affects applications that pass untrusted input as JSX attribute keys during server-side rendering.","references":[{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-458j-xx4x-4375","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-458j-xx4x-4375"},{"reference_url":"https://github.com/advisories/GHSA-458j-xx4x-4375","reference_id":"GHSA-458j-xx4x-4375","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-458j-xx4x-4375"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111227?format=json","purl":"pkg:npm/hono@4.12.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-rkaj-xp28-aycv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.14"}],"aliases":["GHSA-458j-xx4x-4375"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hv86-v64n-n7ad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94730?format=json","vulnerability_id":"VCID-kgyx-8f2c-93de","summary":"hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection\n## Summary\n\nImproper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output.\n\nWhen untrusted input is used as a tag name via the programmatic `jsx()` or `createElement()` APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML.\n\n## Details\n\nWhen rendering JSX elements to HTML strings, attribute values are escaped and attribute names are validated. However, element tag names were previously inserted into the output without validation.\n\nIf a tag name contains characters such as `<`, `>`, quotes, or whitespace, it may alter the structure of the generated HTML.\n\nFor example, malformed tag names can:\n\n* Break out of the intended element and introduce unintended HTML elements\n* Inject attributes or event handlers into the rendered output\n\nThis issue arises when untrusted input (such as query parameters or database content) is used as JSX tag names via `jsx()` or `createElement()` during server-side rendering.\n\n## Impact\n\nAn attacker who can control tag names used in JSX rendering may inject unintended HTML into the generated output.\n\nThis may lead to:\n\n* Injection of unexpected HTML elements or attributes\n* Corruption of the HTML structure\n* Cross-site scripting (XSS) when combined with unsafe usage patterns\n\nThis issue only affects applications that construct JSX tag names from untrusted input. Applications using static or allowlisted tag names are not affected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44455","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09917","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09981","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09998","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09968","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09884","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44455"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-69xw-7hcm-h432","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T13:45:57Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-69xw-7hcm-h432"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44455","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44455"},{"reference_url":"https://github.com/advisories/GHSA-69xw-7hcm-h432","reference_id":"GHSA-69xw-7hcm-h432","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-69xw-7hcm-h432"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/116015?format=json","purl":"pkg:npm/hono@4.12.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-rkaj-xp28-aycv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.16"}],"aliases":["CVE-2026-44455","GHSA-69xw-7hcm-h432"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kgyx-8f2c-93de"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50669?format=json","vulnerability_id":"VCID-mqfv-j37k-2qbf","summary":"Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()\nThe `setCookie()` utility did not validate semicolons (`;`), carriage returns (`\\r`), or newline characters (`\\n`) in the `domain` and `path` options when constructing the `Set-Cookie` header.\n\nBecause cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29086","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12627","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12575","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12545","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12661","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12657","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29086"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-05T15:29:14Z/"}],"url":"https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29086","reference_id":"CVE-2026-29086","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29086"},{"reference_url":"https://github.com/advisories/GHSA-5pq2-9x2x-5p6w","reference_id":"GHSA-5pq2-9x2x-5p6w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5pq2-9x2x-5p6w"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w","reference_id":"GHSA-5pq2-9x2x-5p6w","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-05T15:29:14Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74434?format=json","purl":"pkg:npm/hono@4.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.4"}],"aliases":["CVE-2026-29086","GHSA-5pq2-9x2x-5p6w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mqfv-j37k-2qbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55726?format=json","vulnerability_id":"VCID-nvea-y64p-b7eh","summary":"Hono CSRF middleware can be bypassed using crafted Content-Type header.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-43787","reference_id":"","reference_type":"","scores":[{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24041","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24036","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24093","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24147","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24165","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-43787"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T15:39:07Z/"}],"url":"https://github.com/honojs/hono/blob/b0af71fbcc6dbe44140ea76f16d68dfdb32a99a0/src/middleware/csrf/index.ts#L16-L17"},{"reference_url":"https://github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T15:39:07Z/"}],"url":"https://github.com/honojs/hono/commit/41ce840379516410dee60c783142e05bb5a22449"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43787","reference_id":"CVE-2024-43787","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43787"},{"reference_url":"https://github.com/advisories/GHSA-rpfr-3m35-5vx5","reference_id":"GHSA-rpfr-3m35-5vx5","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rpfr-3m35-5vx5"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5","reference_id":"GHSA-rpfr-3m35-5vx5","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T15:39:07Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-rpfr-3m35-5vx5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82448?format=json","purl":"pkg:npm/hono@4.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-2qtp-svb7-jfej"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5a44-yk5e-eufr"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-8j4n-5v7n-rkh4"},{"vulnerability":"VCID-b9q6-pv4d-8uej"},{"vulnerability":"VCID-bpdk-sg2k-eyax"},{"vulnerability":"VCID-cw64-5xy1-7ycu"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-p49f-jmyh-xydd"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-pqsz-m7n1-3uee"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-sxbx-z5t4-gygt"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-xqdr-fjdf-d7b4"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.5.8"}],"aliases":["CVE-2024-43787","GHSA-rpfr-3m35-5vx5"],"risk_score":2.2,"exploitability":"0.5","weighted_severity":"4.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nvea-y64p-b7eh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48128?format=json","vulnerability_id":"VCID-p49f-jmyh-xydd","summary":"Hono vulnerable to Vary Header Injection leading to potential CORS Bypass\nA flaw in the CORS middleware allowed request `Vary` headers to be reflected into the response, enabling attacker-controlled `Vary` values and potentially affecting cache behavior.","references":[{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/d9b8b4b73b4f997994f2764013207365fe711282","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/commit/d9b8b4b73b4f997994f2764013207365fe711282"},{"reference_url":"https://github.com/advisories/GHSA-q7jf-gf43-6x6p","reference_id":"GHSA-q7jf-gf43-6x6p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q7jf-gf43-6x6p"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-q7jf-gf43-6x6p","reference_id":"GHSA-q7jf-gf43-6x6p","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-q7jf-gf43-6x6p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71076?format=json","purl":"pkg:npm/hono@4.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-2qtp-svb7-jfej"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-8j4n-5v7n-rkh4"},{"vulnerability":"VCID-bpdk-sg2k-eyax"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-pqsz-m7n1-3uee"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-sxbx-z5t4-gygt"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-xqdr-fjdf-d7b4"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.10.3"}],"aliases":["GHSA-q7jf-gf43-6x6p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p49f-jmyh-xydd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50667?format=json","vulnerability_id":"VCID-pkt4-r2xd-v3a5","summary":"Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()\nWhen using `streamSSE()` in Streaming Helper, the `event`, `id`, and `retry` fields were not validated for carriage return (`\\r`) or newline (`\\n`) characters.\n\nBecause the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29085","reference_id":"","reference_type":"","scores":[{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19046","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18994","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18975","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19087","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19088","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29085"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-05T15:39:27Z/"}],"url":"https://github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29085","reference_id":"CVE-2026-29085","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29085"},{"reference_url":"https://github.com/advisories/GHSA-p6xx-57qc-3wxr","reference_id":"GHSA-p6xx-57qc-3wxr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p6xx-57qc-3wxr"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr","reference_id":"GHSA-p6xx-57qc-3wxr","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-05T15:39:27Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74434?format=json","purl":"pkg:npm/hono@4.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.4"}],"aliases":["CVE-2026-29085","GHSA-p6xx-57qc-3wxr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pkt4-r2xd-v3a5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49867?format=json","vulnerability_id":"VCID-pqsz-m7n1-3uee","summary":"Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing\nIP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24398","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.0351","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03545","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03532","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03515","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03531","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24398"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T19:18:50Z/"}],"url":"https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37"},{"reference_url":"https://github.com/honojs/hono/releases/tag/v4.11.7","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T19:18:50Z/"}],"url":"https://github.com/honojs/hono/releases/tag/v4.11.7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24398","reference_id":"CVE-2026-24398","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24398"},{"reference_url":"https://github.com/advisories/GHSA-r354-f388-2fhh","reference_id":"GHSA-r354-f388-2fhh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r354-f388-2fhh"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh","reference_id":"GHSA-r354-f388-2fhh","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T19:18:50Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73634?format=json","purl":"pkg:npm/hono@4.11.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.11.7"}],"aliases":["CVE-2026-24398","GHSA-r354-f388-2fhh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pqsz-m7n1-3uee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89298?format=json","vulnerability_id":"VCID-qxug-7f5p-ybdh","summary":"Hono missing validation of cookie name on write path in setCookie()\n## Summary\n\nCookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers.\n\nWhile certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters.\n\nThis results in inconsistent handling of cookie names between parsing (read path) and serialization (write path).\n\n## Details\n\nWhen applications use `setCookie()`, `serialize()`, or `serializeSigned()` with a user-controlled cookie name, invalid values (e.g., containing control characters such as `\\r` or `\\n`) can be used to construct malformed `Set-Cookie` header values.\n\nFor example:\n\n```\nSet-Cookie: legit\nX-Injected: evil=value\n```\n\nHowever, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent.\n\nAs a result, the reported header injection / response splitting behavior could not be reproduced in these environments.\n\n## Impact\n\nApplications that pass untrusted input as the cookie name to `setCookie()`, `serialize()`, or `serializeSigned()` may encounter runtime errors due to invalid header values.\n\nIn tested environments, malformed `Set-Cookie` headers are rejected before being sent, and the reported header injection behavior could not be reproduced.\n\nThis issue primarily affects correctness and robustness rather than introducing a confirmed exploitable vulnerability.","references":[{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec"},{"reference_url":"https://github.com/honojs/hono/releases/tag/v4.12.12","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/releases/tag/v4.12.12"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-26pp-8wgv-hjvm"},{"reference_url":"https://github.com/advisories/GHSA-26pp-8wgv-hjvm","reference_id":"GHSA-26pp-8wgv-hjvm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-26pp-8wgv-hjvm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109911?format=json","purl":"pkg:npm/hono@4.12.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-rkaj-xp28-aycv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.12"}],"aliases":["GHSA-26pp-8wgv-hjvm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qxug-7f5p-ybdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93660?format=json","vulnerability_id":"VCID-rkaj-xp28-aycv","summary":"Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()\n### Summary\n\nImproper validation of the JWT NumericDate claims `exp`, `nbf`, and `iat` in `hono/utils/jwt` allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches `verify()` — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control.\n\n### Details\n\nThe validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected:\n\n- A falsy numeric value short-circuited the presence check.\n- A non-finite numeric value compared as never-after-now and never-expired.\n- A non-numeric type produced NaN comparisons that evaluated false.\n\nThis deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value.\n\n### Impact\n\nAn actor able to issue tokens accepted by the application may craft tokens whose `exp`, `nbf`, or `iat` claims silently bypass time-based enforcement. This may lead to:\n\n- Tokens treated as never expiring even with `exp` configured on the verifier.\n- Tokens with a future `nbf` accepted as currently valid.\n- Tokens with a future `iat` accepted as legitimately issued.\n\nDeployments using a well-formed token issuer and protecting the signing key are not affected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44459","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06015","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06054","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06041","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06039","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05991","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44459"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36","reference_id":"","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44459","reference_id":"","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44459"},{"reference_url":"https://github.com/advisories/GHSA-hm8q-7f3q-5f36","reference_id":"GHSA-hm8q-7f3q-5f36","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hm8q-7f3q-5f36"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/116981?format=json","purl":"pkg:npm/hono@4.12.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.18"}],"aliases":["CVE-2026-44459","GHSA-hm8q-7f3q-5f36"],"risk_score":1.7,"exploitability":"0.5","weighted_severity":"3.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rkaj-xp28-aycv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49665?format=json","vulnerability_id":"VCID-sxbx-z5t4-gygt","summary":"Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass\nA flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s `alg` value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable **JWT algorithm confusion** and, in certain configurations, allow forged tokens to be accepted.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22817","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06124","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06095","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06073","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.0612","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06136","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22817"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-14T19:12:27Z/"}],"url":"https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22817","reference_id":"CVE-2026-22817","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22817"},{"reference_url":"https://github.com/advisories/GHSA-f67f-6cw9-8mq4","reference_id":"GHSA-f67f-6cw9-8mq4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f67f-6cw9-8mq4"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4","reference_id":"GHSA-f67f-6cw9-8mq4","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-14T19:12:27Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73317?format=json","purl":"pkg:npm/hono@4.11.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-8j4n-5v7n-rkh4"},{"vulnerability":"VCID-bpdk-sg2k-eyax"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-pqsz-m7n1-3uee"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-xqdr-fjdf-d7b4"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.11.4"}],"aliases":["CVE-2026-22817","GHSA-f67f-6cw9-8mq4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sxbx-z5t4-gygt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89017?format=json","vulnerability_id":"VCID-t9nf-jpuu-bucd","summary":"Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses\n## Summary\n\n`ipRestriction()` does not canonicalize IPv4-mapped IPv6 client addresses (e.g. `::ffff:127.0.0.1`) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.\n\n## Details\n\nThe middleware classifies client addresses based on their textual form. Addresses containing \"`:`\" are treated as IPv6, including IPv4-mapped IPv6 addresses such as `::ffff:127.0.0.1`. These addresses are not normalized to IPv4 before matching.\n\nAs a result:\n\n* IPv4 static rules (e.g. `127.0.0.1`) do not match because the raw string differs\n* IPv4 CIDR rules (e.g. `127.0.0.0/8`, `10.0.0.0/8`) are skipped because the address is treated as IPv6\n\nFor example, with:\n\n`denyList: ['127.0.0.1']`\n\na request from `127.0.0.1` may be represented as `::ffff:127.0.0.1` and bypass the deny rule.\n\nThis behavior commonly occurs in Node.js environments where IPv4 clients are exposed as IPv4-mapped IPv6 addresses.\n\n## Impact\n\nApplications that rely on IPv4-based `ipRestriction()` rules may incorrectly allow or deny requests.\n\nIn affected deployments, a denied IPv4 client may bypass access restrictions. Conversely, legitimate clients may be rejected when using IPv4 allow lists.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39409","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.0246","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02388","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02403","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02455","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02345","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39409"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:08:52Z/"}],"url":"https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39"},{"reference_url":"https://github.com/honojs/hono/releases/tag/v4.12.12","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:08:52Z/"}],"url":"https://github.com/honojs/hono/releases/tag/v4.12.12"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-xpcf-pg52-r92g","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:08:52Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-xpcf-pg52-r92g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39409","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39409"},{"reference_url":"https://github.com/advisories/GHSA-xpcf-pg52-r92g","reference_id":"GHSA-xpcf-pg52-r92g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xpcf-pg52-r92g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109911?format=json","purl":"pkg:npm/hono@4.12.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-rkaj-xp28-aycv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.12"}],"aliases":["CVE-2026-39409","GHSA-xpcf-pg52-r92g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t9nf-jpuu-bucd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49881?format=json","vulnerability_id":"VCID-xqdr-fjdf-d7b4","summary":"Hono vulnerable to XSS through ErrorBoundary component\nA Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24771","reference_id":"","reference_type":"","scores":[{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.2128","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21226","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21216","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21327","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21342","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24771"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T20:36:05Z/"}],"url":"https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24771","reference_id":"CVE-2026-24771","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24771"},{"reference_url":"https://github.com/advisories/GHSA-9r54-q6cx-xmh5","reference_id":"GHSA-9r54-q6cx-xmh5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9r54-q6cx-xmh5"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5","reference_id":"GHSA-9r54-q6cx-xmh5","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T20:36:05Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73634?format=json","purl":"pkg:npm/hono@4.11.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xec-9tx6-xqdv"},{"vulnerability":"VCID-3egq-e16y-5bez"},{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-5p8b-jvgn-mugv"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-dv2s-3yxc-aqb9"},{"vulnerability":"VCID-gj6p-bh4c-63bt"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-mqfv-j37k-2qbf"},{"vulnerability":"VCID-pkt4-r2xd-v3a5"},{"vulnerability":"VCID-qxug-7f5p-ybdh"},{"vulnerability":"VCID-rkaj-xp28-aycv"},{"vulnerability":"VCID-t9nf-jpuu-bucd"},{"vulnerability":"VCID-yhjw-f9zp-3uca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.11.7"}],"aliases":["CVE-2026-24771","GHSA-9r54-q6cx-xmh5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xqdr-fjdf-d7b4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89880?format=json","vulnerability_id":"VCID-yhjw-f9zp-3uca","summary":"Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()\n## Summary\n\nA discrepancy between browser cookie parsing and `parse()` handling allows cookie prefix protections to be bypassed.\n\nCookie names that are treated as distinct by the browser may be normalized to the same key by `parse()`, allowing attacker-controlled cookies to override legitimate ones.\n\n## Details\n\nBrowsers follow RFC 6265bis and only trim SP (`0x20`) and HTAB (`0x09`) from cookie names. Other characters, such as the non-breaking space (`U+00A0`), are preserved as part of the cookie name.\n\nFor example, the browser treats the following cookies as distinct:\n\n```\n\"dummy-cookie\"\n\"\\u00a0dummy-cookie\"\n```\n\nHowever, `parse()` previously used JavaScript's `trim()`, which removes a broader set of characters including `U+00A0`. As a result, both names are normalized to:\n\n```\n\"dummy-cookie\"\n```\n\nThis mismatch allows attacker-controlled cookies with a `U+00A0` prefix to shadow or override legitimate cookies when accessed via `getCookie()`.\n\n## Impact\n\nAn attacker who can set cookies (e.g., via a man-in-the-middle on a non-secure page or other injection vector) can bypass cookie prefix protections and override sensitive cookies.\n\nThis may lead to:\n\n* Bypassing `__Secure-` and `__Host-` prefix protections\n* Overriding cookies that rely on the Secure attribute\n* Session fixation or session hijacking depending on application usage\n\nThis issue affects applications that rely on `getCookie()` for security-sensitive cookie handling.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39410","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09117","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09087","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09058","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09136","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09119","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39410"},{"reference_url":"https://github.com/honojs/hono","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/honojs/hono"},{"reference_url":"https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:17:07Z/"}],"url":"https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0"},{"reference_url":"https://github.com/honojs/hono/releases/tag/v4.12.12","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:17:07Z/"}],"url":"https://github.com/honojs/hono/releases/tag/v4.12.12"},{"reference_url":"https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:17:07Z/"}],"url":"https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39410","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39410"},{"reference_url":"https://github.com/advisories/GHSA-r5rp-j6wh-rvv4","reference_id":"GHSA-r5rp-j6wh-rvv4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r5rp-j6wh-rvv4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109911?format=json","purl":"pkg:npm/hono@4.12.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5p4q-brb6-bkgy"},{"vulnerability":"VCID-7je8-dyg1-6uhg"},{"vulnerability":"VCID-7mp8-4jr7-2uan"},{"vulnerability":"VCID-hv86-v64n-n7ad"},{"vulnerability":"VCID-kgyx-8f2c-93de"},{"vulnerability":"VCID-rkaj-xp28-aycv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.12.12"}],"aliases":["CVE-2026-39410","GHSA-r5rp-j6wh-rvv4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yhjw-f9zp-3uca"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/hono@4.0.3"}