CVE-2026-39410

EPSS 0.03%
Veröffentlicht 08.04.2026 14:44:40
Zuletzt bearbeitet 21.04.2026 18:26:00
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hono ≫ Hono SwPlatformnode.js Version <= 4.12.11

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.087

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/honojs/hono/releases/tag/v4.12.12

Release Notes

https://github.com/honojs/hono/security/advisories/GHSA-r5rp-j6wh-rvv4

Vendor Advisory

https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-39410

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39410

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39410

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39410