Medium severity5.3NVD Advisory· Published Apr 8, 2026· Updated Apr 21, 2026
CVE-2026-39407
CVE-2026-39407
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | < 4.12.12 | 4.12.12 |
Affected products
23- osv-coords22 versionspkg:apk/chainguard/gemini-clipkg:apk/chainguard/honopkg:apk/chainguard/hono-adapter-mqttpkg:apk/chainguard/hono-clipkg:apk/chainguard/hono-compatpkg:apk/chainguard/hono-service-authpkg:apk/chainguard/hono-service-command-routerpkg:apk/chainguard/hono-service-device-registry-jdbcpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/opensearch-dashboards-2pkg:npm/hono
< 0.37.0-r0+ 21 more
- (no CPE)range: < 0.37.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.1.10-r10
- (no CPE)range: < 9.1.10-r10
- (no CPE)range: < 9.2.7-r3
- (no CPE)range: < 9.2.7-r3
- (no CPE)range: < 9.3.3-r0
- (no CPE)range: < 9.3.3-r0
- (no CPE)range: < 3.164.0-r5
- (no CPE)range: < 3.164.0-r3
- (no CPE)range: < 0.8.4-r5
- (no CPE)range: < 2.19.5-r8
- (no CPE)range: < 2.19.5-r7
- (no CPE)range: < 3.164.0-r5
- (no CPE)range: < 2.19.5-r8
- (no CPE)range: < 4.12.12
Patches
Vulnerability mechanics
References
5- github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3cnvdPatchWEB
- github.com/advisories/GHSA-wmmm-f939-6g9cghsaADVISORY
- github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9cnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39407ghsaADVISORY
- github.com/honojs/hono/releases/tag/v4.12.12nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.