hono vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-54288Mediumhono: hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`CVE-2026-54289Mediumhono: hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the restCVE-2026-54290Highhono: hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcardCVE-2026-54286Mediumhono: hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)CVE-2026-54287Mediumhono: hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on…CVE-2026-47676Mediumhono: Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for…CVE-2026-47674Mediumhono: Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 CVE-2026-47675Mediumhono: Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injectionCVE-2026-47673Mediumhono: Hono: JWT middleware accepts any Authorization scheme, not only BearerCVE-2026-44458Mediumhono: Hono has CSS Declaration Injection via Style Object Values in JSX SSRCVE-2026-44459Lowhono: Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()CVE-2026-44457Mediumhono: Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache…CVE-2026-44456Mediumhono: Hono: bodyLimit() can be bypassed for chunked / unknown-length requestsCVE-2026-44455Mediumhono: hono/jsx has Unvalidated JSX Tag Names that May Allow HTML InjectionCVE-2026-56761Mediumhono: hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSRCVE-2026-39410Mediumhono: Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()CVE-2026-39409Mediumhono: Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addressesGHSA-26PP-8WGV-HJVMMediumhono: Hono missing validation of cookie name on write path in setCookie()CVE-2026-39408Mediumhono: Hono: Path traversal in toSSG() allows writing files outside the output directoryCVE-2026-39407Mediumhono: Hono: Middleware bypass via repeated slashes in serveStaticGHSA-V8W9-8MX6-G223Mediumhono: Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot:…CVE-2026-29086Mediumhono: Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()CVE-2026-29085Mediumhono: Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()CVE-2026-29045Highhono: Hono vulnerable to arbitrary file access via serveStatic vulnerability CVE-2026-27700Highhono: Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo

Stop the waste.
Protect your environment with Kodem.