CVE-2026-59895
- EPSS 0.19%
- Veröffentlicht 08.07.2026 16:09:51
- Zuletzt bearbeitet 10.07.2026 19:53:22
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowin...
CVE-2026-59896
- EPSS 0.19%
- Veröffentlicht 08.07.2026 16:08:07
- Zuletzt bearbeitet 10.07.2026 19:50:53
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or us...
CVE-2026-59897
- EPSS 0.12%
- Veröffentlicht 08.07.2026 16:06:11
- Zuletzt bearbeitet 10.07.2026 19:50:16
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring compar...
CVE-2025-71381
- EPSS 0.28%
- Veröffentlicht 30.06.2026 22:08:21
- Zuletzt bearbeitet 02.07.2026 17:48:43
Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be manage...
CVE-2026-56761
- EPSS 0.17%
- Veröffentlicht 24.06.2026 11:53:21
- Zuletzt bearbeitet 26.06.2026 19:59:03
hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially crafted attribute keys containing characters l...
CVE-2026-56762
- EPSS 0.25%
- Veröffentlicht 23.06.2026 12:13:06
- Zuletzt bearbeitet 24.06.2026 13:16:37
Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled...
CVE-2026-47673
- EPSS 0.2%
- Veröffentlicht 28.05.2026 15:29:44
- Zuletzt bearbeitet 29.05.2026 17:05:59
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the...
CVE-2026-47674
- EPSS 0.24%
- Veröffentlicht 28.05.2026 15:29:08
- Zuletzt bearbeitet 29.05.2026 16:57:58
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality a...
CVE-2026-47675
- EPSS 0.22%
- Veröffentlicht 28.05.2026 15:28:23
- Zuletzt bearbeitet 29.05.2026 16:56:59
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), bu...
CVE-2026-47676
- EPSS 0.26%
- Veröffentlicht 28.05.2026 15:26:01
- Zuletzt bearbeitet 29.05.2026 16:55:56
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the perce...