hono

Top products

The 15 most recently published vulnerabilities affecting hono.

• CVE-2026-47673Hono: JWT middleware accepts any Authorization scheme, not only Bearer4.8May 28, 2026
• CVE-2026-47674Hono: IP Restriction bypasses static deny rules for non-canonical IPv65.3May 28, 2026
• CVE-2026-47675Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection4.3May 28, 2026
• CVE-2026-47676Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths5.3May 28, 2026
• CVE-2026-44459Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()3.8May 13, 2026
• CVE-2026-44458Hono: CSS Declaration Injection via Style Object Values in JSX SSR4.3May 13, 2026
• CVE-2026-44457Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage5.3May 13, 2026
• CVE-2026-44456Hono: bodyLimit() can be bypassed for chunked / unknown-length requests6.5May 13, 2026
• CVE-2026-44455Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection4.7May 13, 2026
• CVE-2026-39410Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()4.8Apr 8, 2026
• CVE-2026-39409Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses5.3Apr 8, 2026
• CVE-2026-39408Hono has a path traversal in toSSG() allows writing files outside the output directory7.5Apr 8, 2026
• CVE-2026-39407Hono has a middleware bypass via repeated slashes in serveStatic5.3Apr 8, 2026
• CVE-2026-39406@hono/node-server has a middleware bypass via repeated slashes in serveStatic5.3Apr 8, 2026
• CVE-2026-29087@hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware7.5Mar 6, 2026