CVE-2026-56762

Hono CVE-2026-56762 affects Hono before 4.12.12, where cookie-name validation is missing on the write path in setCookie(), serialize(), and serializeSigned(). This allows invalid characters (e.g., control chars like \r/\n) in user-controlled cookie names, producing malformed Set-Cookie header val...

CVE-2026-56762 Hono - Missing Cookie Name Validation in setCookie()

Hono before 4.12.12 does not validate cookie names on the write path in the setCookie, serialize, and serializeSigned functions, allowing invalid characters such as control characters e.g. \r or \n when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie...

CVE-2026-39963

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipitysetCookie function in include/functionsconfig.inc.php uses $SERVER'HTTPHOST' without validation as the domain parameter of setcookie. An attacker who can influence the Host header at login time, such as vi...

CVE-2026-47069 CRLF injection in cookie domain/path options in hackney

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Response Splitting. The hackneycookie:setcookie/3 function in src/hackneycookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and...

CVE-2026-39963

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipitysetCookie function in include/functionsconfig.inc.php uses $SERVER'HTTPHOST' without validation as the domain parameter of setcookie. An attacker who can influence the Host header at login time, such as vi...

HTTP Response Splitting

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the setCookie function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie...

GHSA-26PP-8WGV-HJVM Hono missing validation of cookie name on write path in setCookie()

Summary Cookie names are not validated on the write path when using setCookie, serialize, or serializeSigned to generate Set-Cookie headers. While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters. This results in inconsistent...

Hono missing validation of cookie name on write path in setCookie()

Summary Cookie names are not validated on the write path when using setCookie, serialize, or serializeSigned to generate Set-Cookie headers. While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters. This results in inconsistent...

CRLF Injection

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to CRLF Injection via the setCookie utility. An attacker can inject unauthorized cookie attributes by supplying specially crafted input containing semicolons, carriage returns, or newline...

CVE-2026-29086

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...

CVE-2026-29086 Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...

CVE-2026-29086 Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...

CVE-2026-29086

In IBM advisories, CVE-2026-29086 affects the Hono web framework used by IBM App Connect Enterprise containers. Prior to 4.12.4, setCookie() did not validate semicolons, carriage returns, or newlines in domain and path when constructing Set-Cookie, enabling potential cookie-attribute injection. T...

CVE-2026-29086 Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...

Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Summary The setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if...

EUVD-2026-9508

Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie...

GHSA-5PQ2-9X2X-5P6W Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Summary The setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if...

EUVD-2025-24094

Malicious code in bioql PyPI...

CVE-2025-8814

A vulnerability was found in atjiu pybbs up to 6.0.0 and classified as problematic. This issue affects the function setCookie of the file src/main/java/co/yiiu/pybbs/util/CookieUtil.java. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has...

CVE-2025-8814 atjiu pybbs CookieUtil.java setCookie cross-site request forgery

A vulnerability was found in atjiu pybbs up to 6.0.0 and classified as problematic. This issue affects the function setCookie of the file src/main/java/co/yiiu/pybbs/util/CookieUtil.java. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has...