Medium severity4.3NVD Advisory· Published May 28, 2026· Updated May 29, 2026
CVE-2026-47675
CVE-2026-47675
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes. This vulnerability is fixed in 4.12.21.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | < 4.12.21 | 4.12.21 |
Affected products
12- osv-coords9 versionspkg:apk/chainguard/honopkg:apk/chainguard/hono-adapter-mqttpkg:apk/chainguard/hono-clipkg:apk/chainguard/hono-compatpkg:apk/chainguard/hono-service-authpkg:apk/chainguard/hono-service-command-routerpkg:apk/chainguard/hono-service-device-registry-jdbcpkg:apk/chainguard/kibana-9.4pkg:apk/chainguard/kibana-9.4-iamguarded
< 0+ 8 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.4.2-r3
- (no CPE)range: < 9.4.2-r3
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-3hrh-pfw6-9m5xghsaADVISORY
- github.com/honojs/hono/security/advisories/GHSA-3hrh-pfw6-9m5xnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-47675ghsaADVISORY
- github.com/honojs/hono/commit/905aedbc20661e0e2fa378783a7ec44a5c3df43dghsaWEB
- github.com/honojs/hono/releases/tag/v4.12.21ghsaWEB
News mentions
1- Hono 4.12.21: Four Medium-Severity CVEs Disclosed in a Single AdvisoryVypr Intelligence · May 28, 2026