CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

5.3CVSS5.8AI score0.00038EPSS

ROOT-APP-NPM-CVE-2026-44457 CVE-2026-44457 in @rootio/hono - Patched by Root

Root has patched CVE-2026-44457 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

4.3CVSS5.8AI score0.00043EPSS

ROOT-APP-NPM-CVE-2026-44458 CVE-2026-44458 in @rootio/hono - Patched by Root

Root has patched CVE-2026-44458 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

OSV•added yesterday•4 views

ROOT-APP-NPM-CVE-2026-44456 CVE-2026-44456 in @rootio/hono - Patched by Root

Root has patched CVE-2026-44456 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

6.5CVSS5.8AI score0.00012EPSS

OSV•added yesterday•2 views

ROOT-APP-NPM-CVE-2026-29086 CVE-2026-29086 in @rootio/hono - Patched by Root

Root has patched CVE-2026-29086 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

5.4CVSS5.9AI score0.0004EPSS

6.5CVSS5.9AI score0.0006EPSS

ROOT-APP-NPM-CVE-2026-29085 CVE-2026-29085 in @rootio/hono - Patched by Root

Root has patched CVE-2026-29085 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

OSV•added yesterday•2 views

ROOT-APP-NPM-CVE-2026-29045 CVE-2026-29045 in @rootio/hono - Patched by Root

Root has patched CVE-2026-29045 in the @rootio/hono package for Root:npm. Multiple fixed versions available...

9.8CVSS5.9AI score0.0005EPSS

Github Security Blog•added yesterday•8 views

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Summary app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte...

5.3CVSS5.8AI score0.00067EPSS

Exploits0References5Affected Software1

EUVD•added yesterday•5 views

EUVD-2026-32924

Hono: app.mount strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths...

5.3CVSS5.8AI score0.00067EPSS

EUVD•added yesterday•7 views

EUVD-2026-32926

Hono: IP Restriction bypasses static deny rules for non-canonical IPv6...

5.3CVSS5.8AI score0.00098EPSS

EUVD•added yesterday•7 views

EUVD-2026-32925

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection...

5.3CVSS5.8AI score0.00125EPSS

4.3CVSS5.8AI score0.00125EPSS

GHSA-3HRH-PFW6-9M5X Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Summary The serialize function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax ;, \r, \n, but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a...

Exploits0References5

EUVD•added yesterday•9 views

EUVD-2026-32927

Hono: JWT middleware accepts any Authorization scheme, not only Bearer...

6.5CVSS5.8AI score0.00037EPSS

4.8CVSS5.7AI score0.00037EPSS

GHSA-F577-QRJJ-4474 Hono: JWT middleware accepts any Authorization scheme, not only Bearer

Summary The jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier such a...

Exploits0References5

RedhatCVE•added 3 days ago•8 views

CVE-2026-47674

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware hono/ip-restriction compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6...

5.3CVSS5.8AI score0.00098EPSS

Exploits0References1

RedhatCVE•added 6 days ago•10 views

CVE-2026-47673

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...

6.5CVSS5.8AI score0.00037EPSS

Exploits0References1

Snyk•added 2026/05/28 6:24 p.m.•6 views

Incorrect Regular Expression

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Regular Expression via the ip-restriction middleware. An attacker can bypass configured deny rules for IPv6 addresses by submitting non-canonical representations, such as...

6.9CVSS5.8AI score0.00098EPSS

Snyk•added 2026/05/28 6:24 p.m.•6 views

HTTP Response Splitting

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the serialize function. An attacker can inject arbitrary attributes into the Set-Cookie response header by supplying crafted input to the sameSite or priority...

5.3CVSS5.9AI score0.00125EPSS

Snyk•added 2026/05/28 6:24 p.m.•9 views

Improper Authorization

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Authorization via the jwt middleware when the Authorization header uses any scheme, not just Bearer. An attacker can gain unauthorized access by presenting a valid JWT under a...

6.5CVSS5.8AI score0.00037EPSS

Snyk•added 2026/05/28 6:24 p.m.•9 views

HTTP Request Smuggling

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Request Smuggling via the app.mount function. An attacker can access unintended routes or resources by sending requests with percent-encoded multi-byte characters in the URL path,...

6.9CVSS5.8AI score0.00067EPSS