VYPR
Get started
← All vendors
Vendor

Hono

Sign in to watch
Products
3
CVEs
16
Across products
16
Status
Private

Products

3

Recent CVEs

16
CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2026-44456Med0.426.50.00May 13, 2026Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 200 instead of 413. This vulnerability is fixed in 4.12.16.
CVE-2026-39408Hig0.427.50.00Apr 8, 2026Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12.
CVE-2026-29087Hig0.427.50.00Mar 6, 2026@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.
CVE-2026-44455Med0.314.70.00May 13, 2026Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16.
CVE-2026-44458Med0.284.30.00May 13, 2026Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18.
CVE-2026-39409Med0.275.30.00Apr 8, 2026Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.
CVE-2026-39407Med0.275.30.00Apr 8, 2026Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.
CVE-2026-39406Med0.275.30.00Apr 8, 2026@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.
CVE-2026-39410Med0.244.80.00Apr 8, 2026Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.
CVE-2023-514350.000.00Dec 29, 2023 Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause information leak.
CVE-2023-514340.000.00Dec 29, 2023 Some Honor products are affected by buffer overflow vulnerability, successful exploitation could cause code execution.
CVE-2023-514330.000.00Dec 29, 2023 Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause information leak.
CVE-2023-514320.000.00Dec 29, 2023 Some Honor products are affected by out of bounds read vulnerability, successful exploitation could cause information leak.
CVE-2023-514300.000.00Dec 29, 2023 Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause information leak.
CVE-2023-69390.000.00Dec 29, 2023 Some Honor products are affected by type confusion vulnerability, successful exploitation could cause denial of service.
CVE-2023-234410.000.00Dec 29, 2023 Some Honor products are affected by out of bounds read vulnerability, successful exploitation could cause information leak.