Medium severity5.3NVD Advisory· Published May 28, 2026· Updated May 29, 2026
CVE-2026-47676
CVE-2026-47676
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | < 4.12.21 | 4.12.21 |
Affected products
12- osv-coords9 versionspkg:apk/chainguard/honopkg:apk/chainguard/hono-adapter-mqttpkg:apk/chainguard/hono-clipkg:apk/chainguard/hono-compatpkg:apk/chainguard/hono-service-authpkg:apk/chainguard/hono-service-command-routerpkg:apk/chainguard/hono-service-device-registry-jdbcpkg:apk/chainguard/kibana-9.4pkg:apk/chainguard/kibana-9.4-iamguarded
< 0+ 8 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 9.4.2-r3
- (no CPE)range: < 9.4.2-r3
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-2gcr-mfcq-wcc3ghsaADVISORY
- github.com/honojs/hono/security/advisories/GHSA-2gcr-mfcq-wcc3nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-47676ghsaADVISORY
- github.com/honojs/hono/commit/6cbb025ff87fca1a3d00d0ccca0eaf3a6385c3f1ghsaWEB
- github.com/honojs/hono/releases/tag/v4.12.21ghsaWEB
News mentions
1- Hono 4.12.21: Four Medium-Severity CVEs Disclosed in a Single AdvisoryVypr Intelligence · May 28, 2026