Lucene search
K

238 matches found

RedhatCVE
RedhatCVE
added 2026/04/11 1:21 a.m.3 views

CVE-2026-39408

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially...

7.5CVSS5.6AI score0.00532EPSS
Exploits1References1
NVD
NVD
added 2026/04/08 3:16 p.m.7 views

CVE-2026-39410

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to th...

4.8CVSS0.00284EPSS
Exploits0References3
NVD
NVD
added 2026/04/08 3:16 p.m.17 views

CVE-2026-39408

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially...

7.5CVSS0.00532EPSS
Exploits1References3
NVD
NVD
added 2026/04/08 3:16 p.m.9 views

CVE-2026-39409

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...

6.3CVSS0.00342EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/08 2:44 p.m.4 views

CVE-2026-39410 Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to th...

4.8CVSS5.9AI score0.00284EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/08 2:44 p.m.5 views

CVE-2026-39410

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to th...

4.8CVSS5.9AI score0.00284EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/08 2:43 p.m.3 views

CVE-2026-39409 Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...

6.3CVSS5.9AI score0.00342EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/08 2:43 p.m.1 views

CVE-2026-39409

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...

6.3CVSS5.9AI score0.00342EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/08 2:43 p.m.22 views

CVE-2026-39409 Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...

6.3CVSS0.00342EPSS
Exploits0References3
CVE
CVE
added 2026/04/08 2:42 p.m.19 views

CVE-2026-39408

CVE-2026-39408 affects Hono, a web application framework for JavaScript runtimes. A path traversal flaw in toSSG() prior to version 4.12.12 can cause generated static site files to be written outside the configured output directory when dynamic routes use ssgParams. Multiple connected sources (NV...

7.5CVSS5.8AI score0.00532EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/08 2:42 p.m.2 views

CVE-2026-39408 Hono has a path traversal in toSSG() allows writing files outside the output directory

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially...

5.9CVSS5.6AI score0.00532EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/08 2:41 p.m.20 views

CVE-2026-39407 Hono has a middleware bypass via repeated slashes in serveStatic

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...

5.3CVSS0.00459EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/08 2:41 p.m.2 views

CVE-2026-39407 Hono has a middleware bypass via repeated slashes in serveStatic

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...

5.3CVSS5.9AI score0.00459EPSS
Exploits0References3
CVE
CVE
added 2026/04/08 2:41 p.m.36 views

CVE-2026-39407

Hono (Web framework) prior to 4.12.12 is affected by a path handling inconsistency in serveStatic: repeated slashes in the request path can bypass route-based middleware (e.g., /admin/*) and expose protected static files. The issue arises because the router may not match paths with // while serve...

5.3CVSS5.9AI score0.00459EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/04/08 12:17 a.m.3 views

Improper Input Validation

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Input Validation via the getCookie function. An attacker can override legitimate cookies and bypass prefix protections by setting cookies with non-breaking space prefixes, leadin...

6.3CVSS5.8AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:17 a.m.4 views

Incorrect Behavior Order: Validate Before Canonicalize

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the ipRestriction function. An attacker can bypass access restrictions by sending requests from IPv4-mapped IPv6 addresses, which...

6.3CVSS5.8AI score0.00342EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:17 a.m.4 views

HTTP Response Splitting

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the setCookie function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:16 a.m.11 views

Directory Traversal

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated...

6.9CVSS6.3AI score0.00459EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.8 views

Hono 输入验证错误漏洞

Hono is a web framework written in TypeScript for the Hono community. Versions of Hono prior to 4.12.12 contained a vulnerability related to input validation errors. This vulnerability stemmed from differences in how browser Cookie parsing and the parse function were handled, which could lead to...

4.8CVSS5.8AI score0.00284EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.7 views

Hono 安全漏洞

Hono is a web framework built in TypeScript for the Hono community. Versions of Hono prior to 4.12.12 contained a security vulnerability. This vulnerability stemmed from the ipRestriction function not properly normalizing IPv4-mapped IPv6 client addresses, which could lead to failed matching of...

6.3CVSS5.8AI score0.00342EPSS
Exploits0References3
Rows per page
Query Builder