CVE-2026-54287

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attribute...

CVE-2026-54287

Summary: Hono’s AWS Lambda adapter, in the ALB single-header mode and VPC Lattice v2, concatenates multiple Set-Cookie headers into a single comma-separated value, causing cookie attributes that include commas (e.g., Expires) to be misparsed or dropped. Affected components: Hono web framework; AW...

CVE-2026-54287

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attribute...

hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

Summary On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes for example Expires dates, clients cannot split the value back into individual cookies and...

Improper Encoding or Escaping of Output

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the AWS Lambda adapter's handling of multiple Set-Cookie headers. An attacker can cause clients to drop or misinterpret cookies by triggering...

GHSA-J6C9-X7QJ-28XF hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

Summary On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes for example Expires dates, clients cannot split the value back into individual cookies and...

PT-2026-49734

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.25 Description On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into a single comma-separated value. According to RFC 6265, each cookie must be its own...

Advisory ROSA-SA-2026-3307

Software: python-future 0.18.2 Operating System: ROSA-CHROME Unaffected versions: = python-future-0.18.2-4 Affected versions: python-future-0.18.2-4 CVE-ID: CVE-2022-40899 BDU-ID: 2023-02446 CVE-Crit: HIGH CVE-DESCRIPTION: The compatibility vulnerability in Python Charmers Future is related to...

HTTP Response Splitting

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the serialize function. An attacker can inject arbitrary attributes into the Set-Cookie response header by supplying crafted input to the sameSite or priority...

Hono 安全漏洞

Hono is a web framework built in TypeScript for the Hono community. Versions of Hono prior to 4.12.21 contained security vulnerabilities. These vulnerabilities stemmed from the serialize function not verifying the sameSite and priority options. This could allow the application to pass...

CVE-2026-47069 CRLF injection in cookie domain/path options in hackney

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Response Splitting. The hackneycookie:setcookie/3 function in src/hackneycookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and...

JLSEC-2026-392

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl 7.84.0 stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger th...

Hono 安全漏洞

Hono is a web framework written in TypeScript for the Hono community. Versions of Hono prior to 4.12.4 contained security vulnerabilities. These vulnerabilities stemmed from the setCookie tool, which did not validate the semicolons, line breaks, or newlines in the domain and path parameters when...

Insufficient Session Expiration

Overview @hotwired/turbo is a The speed of a single-page web application without having to write any JavaScript Affected versions of this package are vulnerable to Insufficient Session Expiration due to a race condition. An attacker can cause stale session cookies to be restored by delaying HTTP...

EUVD-2024-17298

Malicious code in bioql PyPI...

The vulnerability of the Active Storage component in the Ruby on Rails software framework allows unauthorized individuals to access confidential information. This vulnerability enables attackers to obtain sensitive data.

The vulnerability of the Active Storage component in the Ruby on Rails programming framework relates to the sending of Set-Cookie headers along with user session cookies when handling large binary objects. Exploiting this vulnerability can allow attackers to obtain confidential information...

Rocky Linux 8 : firefox (RLSA-2024:0955)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:0955 advisory. - When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read...

Debian dla-3747 : firefox-esr - security update

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3747 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3747-1 [email protected]...

Oracle Linux 9 : thunderbird (ELSA-2024-0963)

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-0963 advisory. 115.8.0-1.0.1 - Add Oracle modifications 115.8.0-1 - Update to 115.8.0 build1 Tenable has extracted the preceding description block directly from the...

Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts

The Mozilla Foundation Security Advisory describes this flaw as: Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie respon...