Lucene search
K

11 matches found

EUVD
EUVD
added 2026/06/04 6:1 p.m.11 views

EUVD-2026-32924

Hono: app.mount strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths...

5.3CVSS5.8AI score0.0026EPSS
Exploits0References4
NVD
NVD
added 2026/05/28 5:16 p.m.14 views

CVE-2026-47676

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the...

5.3CVSS0.0026EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 5:16 p.m.15 views

CVE-2026-47675

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax ;, \r, \n, but does not apply the same validation to sameSite an...

5.3CVSS0.00216EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/28 3:29 p.m.49 views

CVE-2026-47673 Hono: JWT middleware accepts any Authorization scheme, not only Bearer

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...

4.8CVSS0.00199EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/28 3:29 p.m.11 views

CVE-2026-47673 Hono: JWT middleware accepts any Authorization scheme, not only Bearer

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds t...

4.8CVSS5.8AI score0.00199EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/28 3:26 p.m.29 views

CVE-2026-47676 Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the...

5.3CVSS0.0026EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 3:26 p.m.39 views

CVE-2026-47676

Summary: In Hono, prior to 4.12.21, app.mount() strips the mount prefix from the raw URL pathname while route matching uses the percent-decoded path. This mismatch can cause the prefix to be stripped at the wrong position for percent-encoded multi-byte characters, causing the mounted sub-applicat...

5.3CVSS5.8AI score0.0026EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/28 3:26 p.m.7 views

CVE-2026-47676

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the...

5.3CVSS5.8AI score0.0026EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.13 views

PT-2026-44413

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.21 Description The jwt and jwk middlewares fail to verify that the Authorization header value utilizes the Bearer scheme. Consequently, any two-part header value is processed for JWT verification regardless of the...

6.5CVSS5.8AI score0.00199EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.16 views

PT-2026-44415

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.21 Description The serialize function in hono/cookie fails to validate the sameSite and priority options against characters that can corrupt Set-Cookie header syntax, such as semicolons, carriage returns, and line...

5.3CVSS5.8AI score0.00216EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.14 views

PT-2026-44416

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.21 Description In the app.mount function, the mount prefix is stripped from the incoming request path using the raw URL pathname, whereas route matching is conducted against the percent-decoded path. This...

5.3CVSS5.8AI score0.0026EPSS
Exploits0References7
Rows per page
Query Builder