CVE-2026-39409 Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...

CVE-2026-39409

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...

CVE-2026-39408 Hono has a path traversal in toSSG() allows writing files outside the output directory

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially...

CVE-2026-39408

CVE-2026-39408 affects Hono, a web application framework for JavaScript runtimes. A path traversal flaw in toSSG() prior to version 4.12.12 can cause generated static site files to be written outside the configured output directory when dynamic routes use ssgParams. Multiple connected sources (NV...

CVE-2026-39407 Hono has a middleware bypass via repeated slashes in serveStatic

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...

CVE-2026-39407

Hono (Web framework) prior to 4.12.12 is affected by a path handling inconsistency in serveStatic: repeated slashes in the request path can bypass route-based middleware (e.g., /admin/*) and expose protected static files. The issue arises because the router may not match paths with // while serve...

CVE-2026-39407 Hono has a middleware bypass via repeated slashes in serveStatic

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...

CVE-2026-39407

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...

CVE-2026-39393

CVE-2026-39393 affects the ci4ms CodeIgniter 4-based CMS skeleton. Before 0.31.4.0, the install route guard uses a volatile cache check (cache('settings')) and .env existence to block setup access; if the database is temporarily unreachable during a cache miss, the guard can fail open, allowing a...

CVE-2026-39393

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check cache'settings' combined with .env file existence to block...

CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into a...

Directory Traversal

Overview emmett is a The web framework for inventors Affected versions of this package are vulnerable to Directory Traversal via the RSGI static handler for internal assets. An attacker can access arbitrary files outside the intended directory by sending specially crafted requests containing...

Emmett has a path traversal in internal assets handler

The RSGI static handler for Emmett's internal assets /emmett paths is vulnerable to path traversal attacks. An attacker can use ../ sequences eg /emmett/../rsgi/handlers.py to read arbitrary files outside the assets directory...

GHSA-PR46-2V3C-5356 Emmett has a path traversal in internal assets handler

The RSGI static handler for Emmett's internal assets /emmett paths is vulnerable to path traversal attacks. An attacker can use ../ sequences eg /emmett/../rsgi/handlers.py to read arbitrary files outside the assets directory...

EUVD-2026-19974

Emmett has a path traversal in internal assets handler...

Improper Input Validation

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Input Validation via the getCookie function. An attacker can override legitimate cookies and bypass prefix protections by setting cookies with non-breaking space prefixes, leadin...

Incorrect Behavior Order: Validate Before Canonicalize

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the ipRestriction function. An attacker can bypass access restrictions by sending requests from IPv4-mapped IPv6 addresses, which...

HTTP Response Splitting

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the setCookie function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie...

Directory Traversal

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the Executrix utility when configuration-derived values, such as PLACENAME, are concatenated into shell commands without sufficient sanitization. An attacker can achieve arbitrary command execution by supplying...