11 matches found
EUVD-2026-32924
Hono: app.mount strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths...
CVE-2026-47676
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the...
CVE-2026-47675
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax ;, \r, \n, but does not apply the same validation to sameSite an...
CVE-2026-47673 Hono: JWT middleware accepts any Authorization scheme, not only Bearer
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...
CVE-2026-47673 Hono: JWT middleware accepts any Authorization scheme, not only Bearer
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...
CVE-2026-47676 Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the...
CVE-2026-47676
Summary: In Hono, prior to 4.12.21, app.mount() strips the mount prefix from the raw URL pathname while route matching uses the percent-decoded path. This mismatch can cause the prefix to be stripped at the wrong position for percent-encoded multi-byte characters, causing the mounted sub-applicat...
CVE-2026-47676
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the...
PT-2026-44413
Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.21 Description The jwt and jwk middlewares fail to verify that the Authorization header value utilizes the Bearer scheme. Consequently, any two-part header value is processed for JWT verification regardless of the...
PT-2026-44415
Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.21 Description The serialize function in hono/cookie fails to validate the sameSite and priority options against characters that can corrupt Set-Cookie header syntax, such as semicolons, carriage returns, and line...
PT-2026-44416
Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.21 Description In the app.mount function, the mount prefix is stripped from the incoming request path using the raw URL pathname, whereas route matching is conducted against the percent-decoded path. This...