| CVE-2026-44456 |
medium |
6.5 |
6.5 |
14d ago |
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests |
|
| CVE-2026-44455 |
medium |
6.1 |
6.1 |
14d ago |
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection |
|
| CVE-2026-44457 |
medium |
5.3 |
5.3 |
14d ago |
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage |
|
| CVE-2026-44458 |
medium |
4.3 |
4.3 |
14d ago |
Hono has CSS Declaration Injection via Style Object Values in JSX SSR |
|
| CVE-2026-44459 |
low |
3.8 |
3.8 |
14d ago |
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() |
|
| CVE-2026-39410 |
unknown |
— |
— |
2mo ago |
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() |
|
| CVE-2026-39409 |
unknown |
— |
— |
2mo ago |
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses |
|
| CVE-2026-39408 |
unknown |
— |
— |
2mo ago |
Hono: Path traversal in toSSG() allows writing files outside the output directory |
|
| CVE-2026-39407 |
unknown |
— |
— |
2mo ago |
Hono: Middleware bypass via repeated slashes in serveStatic |
|
| CVE-2026-29086 |
unknown |
— |
— |
3mo ago |
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie() |
|
| CVE-2026-29085 |
unknown |
— |
— |
3mo ago |
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE() |
|
| CVE-2026-29045 |
unknown |
— |
— |
3mo ago |
Hono vulnerable to arbitrary file access via serveStatic vulnerability |
|
| CVE-2026-27700 |
unknown |
— |
— |
3mo ago |
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo |
|
| CVE-2026-24771 |
unknown |
— |
— |
4mo ago |
Hono vulnerable to XSS through ErrorBoundary component |
|
| CVE-2026-24473 |
unknown |
— |
— |
4mo ago |
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) |
|
| CVE-2026-24472 |
unknown |
— |
— |
4mo ago |
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception |
|
| CVE-2026-24398 |
unknown |
— |
— |
4mo ago |
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing |
|
| CVE-2026-22818 |
unknown |
— |
— |
4mo ago |
Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback) |
|
| CVE-2026-22817 |
unknown |
— |
— |
4mo ago |
Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass |
|
| CVE-2025-62610 |
unknown |
— |
— |
7mo ago |
Hono Improper Authorization vulnerability |
|
| CVE-2025-59139 |
unknown |
— |
— |
9mo ago |
Hono has Body Limit Middleware Bypass |
|
| CVE-2025-58362 |
unknown |
— |
— |
9mo ago |
Hono's flaw in URL path parsing could cause path confusion |
|
| CVE-2024-48913 |
unknown |
— |
— |
2y ago |
Hono allows bypass of CSRF Middleware by a request without Content-Type header. |
|
| CVE-2024-43787 |
unknown |
— |
— |
2y ago |
Hono CSRF middleware can be bypassed using crafted Content-Type header |
|
| CVE-2024-32869 |
unknown |
— |
— |
2y ago |
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno |
|
| CVE-2023-50710 |
unknown |
— |
— |
3y ago |
Named path parameters can be overridden in TrieRouter |
|