6 matches found
CVE-2026-39409
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...
CVE-2026-39410
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to th...
CVE-2026-39409
CVE-2026-39409 affects the Hono web application framework. The vulnerability lies in ipRestriction() not canonicalizing IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow/deny rules, which can cause IPv4 rules to fail to match in dual-stack environments (e.g., Node.js)....
CVE-2026-39407 Hono has a middleware bypass via repeated slashes in serveStatic
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...
CVE-2026-39407
Hono (Web framework) prior to 4.12.12 is affected by a path handling inconsistency in serveStatic: repeated slashes in the request path can bypass route-based middleware (e.g., /admin/*) and expose protected static files. The issue arises because the router may not match paths with // while serve...
Hono θ·―εΎιεζΌζ΄
Hono is a web framework built with TypeScript in the Hono community. Versions of Hono prior to 4.12.12 contained a path traversal vulnerability. This vulnerability stemmed from issues with the toSSG function, which allowed for path traversal attacks, potentially leading to files being written...