Lucene search
K

537 matches found

CVE
CVE
added 2 days ago10 views

CVE-2026-56763

CVE-2026-56763 affects Hono prior to 4.12.7. The parseBody function with dot option enabled accepts proto in field names, allowing prototype pollution when parsed results are merged into regular objects via unsafe merge patterns. Impacted behavior includes modification of object prototypes and po...

6.3CVSS6.1AI score0.00177EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-43173

Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve...

6.3CVSS6.1AI score0.00177EPSS
Exploits0References2
NVD
NVD
added 5 days ago7 views

CVE-2026-59895

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class...

6.1CVSS0.00187EPSS
Exploits0References3
NVD
NVD
added 5 days ago9 views

CVE-2026-59896

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight...

6.5CVSS0.00191EPSS
Exploits0References3
NVD
NVD
added 5 days ago8 views

CVE-2026-59897

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware o...

5.3CVSS0.00126EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-59895 Hono: Server-Side XSS via JSX Escaping Bypass in cx() Utility

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class...

6.1CVSS0.00187EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 5 days ago3 views

CVE-2026-59895

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class...

6.1CVSS6.1AI score0.00187EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-42327

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class...

6.1CVSS6.1AI score0.00187EPSS
Exploits0References3
CVE
CVE
added 5 days ago10 views

CVE-2026-59895

Hono (server-side JS framework) contains a CS/XSS flaw in cx() within hono/css: class name construction concatenates strings and marks the result as pre-escaped, bypassing HTML escaping. This allows untrusted className values used in a JSX class attribute during server-side rendering to break out...

6.1CVSS6.1AI score0.00187EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 5 days ago4 views

EUVD-2026-42326

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight...

6.5CVSS5.9AI score0.00191EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-59896 hono/jsx does not isolate context per request, leading to cross-request data disclosure

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight...

6.5CVSS0.00191EPSS
Exploits0References3
CVE
CVE
added 5 days ago8 views

CVE-2026-59896

Hono/jsx in the Hono web framework exposes a cross-request data disclosure during server-side rendering. From version 4.11.8 up to, but not including, 4.12.27, context values created via createContext, useContext, jsxRenderer, or useRequestContext were not isolated per request and could be reused...

6.5CVSS5.9AI score0.00191EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-59897 Hono: API Gateway v1 adapter can drop a distinct repeated request header value during de-duplication

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware o...

4.8CVSS0.00126EPSS
Exploits0References3
CVE
CVE
added 5 days ago8 views

CVE-2026-59897

CVE-2026-59897 affects Hono: API Gateway v1 adapter (versions prior to 4.12.27). The AWS API Gateway v1 adapter drops a distinct repeated request header value due to de-duplication by substring comparison instead of exact match, which can cause incomplete data in headers like X-Forwarded-For. Thi...

5.3CVSS6AI score0.00126EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/07/02 10:33 a.m.10 views

ROOT-APP-NPM-CVE-2026-54290 CVE-2026-54290 in @rootio/hono - Patched by Root

Root has patched CVE-2026-54290 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

7.1CVSS5.8AI score0.00248EPSS
Exploits0
OSV
OSV
added 2026/07/02 6:11 a.m.20 views

ROOT-APP-NPM-CVE-2026-44455 CVE-2026-44455 in @rootio/hono - Patched by Root

Root has patched CVE-2026-44455 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

4.7CVSS5.8AI score0.0014EPSS
Exploits0
OSV
OSV
added 2026/07/02 6:11 a.m.14 views

ROOT-APP-NPM-CVE-2026-44458 CVE-2026-44458 in @rootio/hono - Patched by Root

Root has patched CVE-2026-44458 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

4.3CVSS5.8AI score0.00197EPSS
Exploits0
OSV
OSV
added 2026/07/02 6:11 a.m.12 views

ROOT-APP-NPM-CVE-2026-44457 CVE-2026-44457 in @rootio/hono - Patched by Root

Root has patched CVE-2026-44457 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

5.3CVSS5.8AI score0.00197EPSS
Exploits0
OSV
OSV
added 2026/07/02 6:11 a.m.14 views

ROOT-APP-NPM-CVE-2026-44456 CVE-2026-44456 in @rootio/hono - Patched by Root

Root has patched CVE-2026-44456 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

6.5CVSS5.8AI score0.00219EPSS
Exploits0
EUVD
EUVD
added 2026/07/01 12:34 a.m.5 views

EUVD-2025-210393

Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...

6.9CVSS5.9AI score0.0028EPSS
Exploits0References3
Rows per page
Query Builder