honojs

Top products

The 15 most recently published vulnerabilities affecting honojs.

• CVE-2026-54288Hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`6.5Jun 22, 2026
• CVE-2026-54289Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest4.8Jun 22, 2026
• CVE-2026-54290Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard7.1Jun 22, 2026
• CVE-2026-54286Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)5.9Jun 22, 2026
• CVE-2026-54287Hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice5.3Jun 22, 2026
• CVE-2026-47673Hono: JWT middleware accepts any Authorization scheme, not only Bearer4.8May 28, 2026
• CVE-2026-47674Hono: IP Restriction bypasses static deny rules for non-canonical IPv65.3May 28, 2026
• CVE-2026-47675Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection4.3May 28, 2026
• CVE-2026-47676Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths5.3May 28, 2026
• CVE-2026-44459Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()3.8May 13, 2026
• CVE-2026-44458Hono: CSS Declaration Injection via Style Object Values in JSX SSR4.3May 13, 2026
• CVE-2026-44457Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage5.3May 13, 2026
• CVE-2026-44456Hono: bodyLimit() can be bypassed for chunked / unknown-length requests6.5May 13, 2026
• CVE-2026-44455Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection4.7May 13, 2026
• CVE-2026-39410Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()4.8Apr 8, 2026