Honojs
Products
9- Hono37 CVEsnpm
- 22 CVEs
- 8 CVEs
- 4 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
76| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-39408 | Hig | 0.42 | 7.5 | 0.01 | Apr 8, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via… | ||
| CVE-2026-29087 | Hig | 0.42 | 7.5 | 0.00 | Mar 6, 2026 | @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static… | ||
| CVE-2026-31370 | Med | 0.41 | 6.3 | 0.00 | Apr 21, 2026 | Honor E APP is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality. | ||
| CVE-2026-54290 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary With `credentials: true` and no explicit `origin` (the default wildcard), the CORS Middleware reflects the request's `Origin` and sends `Access-Control-Allow-Credentials: true`. Any site can then make credentialed cross-origin requests and read the responses,… | ||
| CVE-2026-44456 | Med | 0.35 | 6.5 | 0.00 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return… | ||
| CVE-2026-47676 | Med | 0.27 | 5.3 | 0.00 | May 28, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This… | ||
| CVE-2026-47674 | Med | 0.27 | 5.3 | 0.00 | May 28, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization.… | ||
| CVE-2026-44457 | Med | 0.27 | 5.3 | 0.00 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one… | ||
| CVE-2026-39409 | Med | 0.27 | 5.3 | 0.00 | Apr 8, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js… | ||
| CVE-2026-39407 | Med | 0.27 | 5.3 | 0.00 | Apr 8, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware… | ||
| CVE-2026-39406 | Med | 0.27 | 5.3 | 0.00 | Apr 8, 2026 | @hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used… | ||
| CVE-2026-56761 | med | 0.26 | — | 0.00 | Apr 16, 2026 | ## Summary Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output. When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag… | ||
| CVE-2026-47673 | Med | 0.24 | 4.8 | 0.00 | May 28, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first… | ||
| CVE-2026-44455 | Med | 0.24 | 4.7 | 0.00 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a… | ||
| CVE-2026-39410 | Med | 0.24 | 4.8 | 0.00 | Apr 8, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may… | ||
| CVE-2026-47675 | Med | 0.21 | 4.3 | 0.00 | May 28, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same… | ||
| CVE-2026-44458 | Med | 0.21 | 4.3 | 0.00 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS… | ||
| CVE-2026-31369 | Low | 0.21 | 3.2 | 0.00 | Apr 21, 2026 | PcManager is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability | ||
| CVE-2025-57837 | Low | 0.19 | 2.9 | 0.00 | Oct 20, 2025 | Tileservice module is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality. | ||
| CVE-2026-44459 | Low | 0.18 | 3.8 | 0.00 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks.… |
- risk 0.42cvss 7.5epss 0.01
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via…
- risk 0.42cvss 7.5epss 0.00
@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static…
- risk 0.41cvss 6.3epss 0.00
Honor E APP is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality.
- risk 0.38cvss —epss 0.00
### Summary With `credentials: true` and no explicit `origin` (the default wildcard), the CORS Middleware reflects the request's `Origin` and sends `Access-Control-Allow-Credentials: true`. Any site can then make credentialed cross-origin requests and read the responses,…
- risk 0.35cvss 6.5epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return…
- risk 0.27cvss 5.3epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This…
- risk 0.27cvss 5.3epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization.…
- risk 0.27cvss 5.3epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one…
- risk 0.27cvss 5.3epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js…
- risk 0.27cvss 5.3epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware…
- risk 0.27cvss 5.3epss 0.00
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used…
- risk 0.26cvss —epss 0.00
## Summary Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output. When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag…
- risk 0.24cvss 4.8epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first…
- risk 0.24cvss 4.7epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a…
- risk 0.24cvss 4.8epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may…
- risk 0.21cvss 4.3epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same…
- risk 0.21cvss 4.3epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS…
- risk 0.21cvss 3.2epss 0.00
PcManager is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability
- risk 0.19cvss 2.9epss 0.00
Tileservice module is affected by information leak vulnerability, successful exploitation of this vulnerability may affect service confidentiality.
- risk 0.18cvss 3.8epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks.…