High severity7.5NVD Advisory· Published Apr 8, 2026· Updated Apr 21, 2026
CVE-2026-39408
CVE-2026-39408
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | >= 4.0.0, < 4.12.12 | 4.12.12 |
Affected products
23- osv-coords22 versionspkg:apk/chainguard/gemini-clipkg:apk/chainguard/honopkg:apk/chainguard/hono-adapter-mqttpkg:apk/chainguard/hono-clipkg:apk/chainguard/hono-compatpkg:apk/chainguard/hono-service-authpkg:apk/chainguard/hono-service-command-routerpkg:apk/chainguard/hono-service-device-registry-jdbcpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/opensearch-dashboards-2pkg:npm/hono
< 0.37.0-r0+ 21 more
- (no CPE)range: < 0.37.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.1.10-r10
- (no CPE)range: < 9.1.10-r10
- (no CPE)range: < 9.2.7-r3
- (no CPE)range: < 9.2.7-r3
- (no CPE)range: < 9.3.3-r0
- (no CPE)range: < 9.3.3-r0
- (no CPE)range: < 3.164.0-r5
- (no CPE)range: < 3.164.0-r3
- (no CPE)range: < 0.8.4-r5
- (no CPE)range: < 2.19.5-r8
- (no CPE)range: < 2.19.5-r7
- (no CPE)range: < 3.164.0-r5
- (no CPE)range: < 2.19.5-r8
- (no CPE)range: >= 4.0.0, < 4.12.12
Patches
Vulnerability mechanics
References
5- github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679nvdPatchWEB
- github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqxnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-xf4j-xp2r-rqqxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-39408ghsaADVISORY
- github.com/honojs/hono/releases/tag/v4.12.12nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.