Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/975053?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/975053?format=api", "purl": "pkg:npm/%40hono/node-server@1.13.7", "type": "npm", "namespace": "@hono", "name": "node-server", "version": "1.13.7", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.19.13", "latest_non_vulnerable_version": "1.19.13", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90120?format=api", "vulnerability_id": "VCID-11cb-sxe1-17ck", "summary": "@hono/node-server: Middleware bypass via repeated slashes in serveStatic\n## Summary\n\nA path handling inconsistency in `serveStatic` allows protected static files to be accessed by using repeated slashes (`//`) in the request path.\n\nWhen route-based middleware (e.g., `/admin/*`) is used for authorization, the router may not match paths containing repeated slashes, while `serveStatic` resolves them as normalized paths. This can lead to a middleware bypass.\n\n## Details\n\nThe routing layer and `serveStatic` handle repeated slashes differently.\n\nFor example:\n\n- `/admin/secret.txt` => matches `/admin/*`\n- `//admin/secret.txt` => may not match `/admin/*`\n\nThis inconsistency allows a request such as:\n\n```\nGET //admin/secret.txt\n```\n\nto bypass middleware registered on `/admin/*` and access protected files.\n\n## Impact\n\nAn attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.\n\nThis can lead to unauthorized access to sensitive files under the static root.\n\nThis issue affects applications that rely on `serveStatic` together with route-based middleware for access control.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39406", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05494", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05481", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05436", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05477", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05476", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39406" }, { "reference_url": "https://github.com/honojs/node-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server" }, { "reference_url": "https://github.com/honojs/node-server/commit/025c30f55d589ddbe6048b151d77e904f67a8cc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server/commit/025c30f55d589ddbe6048b151d77e904f67a8cc2" }, { "reference_url": "https://github.com/honojs/node-server/releases/tag/v1.19.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server/releases/tag/v1.19.13" }, { "reference_url": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:17:32Z/" } ], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39406", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39406" }, { "reference_url": "https://github.com/advisories/GHSA-92pp-h63x-v22m", "reference_id": "GHSA-92pp-h63x-v22m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-92pp-h63x-v22m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111357?format=api", "purl": "pkg:npm/%40hono/node-server@1.19.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.19.13" } ], "aliases": [ "CVE-2026-39406", "GHSA-92pp-h63x-v22m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-11cb-sxe1-17ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50663?format=api", "vulnerability_id": "VCID-b6ff-4aqv-47gw", "summary": "@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware\nWhen using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting `/admin/*`), inconsistent URL decoding can allow protected static resources to be accessed without authorization.\n\nIn particular, paths containing encoded slashes (`%2F`) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29087", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04779", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04768", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04741", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04791", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04801", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29087" }, { "reference_url": "https://github.com/honojs/node-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/honojs/node-server" }, { "reference_url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-06T17:58:30Z/" } ], "url": "https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29087", "reference_id": "CVE-2026-29087", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29087" }, { "reference_url": "https://github.com/advisories/GHSA-wc8c-qw6v-h7f6", "reference_id": "GHSA-wc8c-qw6v-h7f6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wc8c-qw6v-h7f6" }, { "reference_url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6", "reference_id": "GHSA-wc8c-qw6v-h7f6", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-06T17:58:30Z/" } ], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-wc8c-qw6v-h7f6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74431?format=api", "purl": "pkg:npm/%40hono/node-server@1.19.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-11cb-sxe1-17ck" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.19.10" } ], "aliases": [ "CVE-2026-29087", "GHSA-wc8c-qw6v-h7f6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b6ff-4aqv-47gw" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540hono/node-server@1.13.7" }