MEDIUM 5.9 npm
GHSA-2234-fmw7-43wr · CVE-2024-48913 Hono allows bypass of CSRF Middleware by a request without Content-Type header.
Modified: 3/23/2026
package
npm / hono
pkg:npm/hono
MEDIUM 5.3 npm
GHSA-26pp-8wgv-hjvm Hono missing validation of cookie name on write path in setCookie()
Modified: 4/9/2026
MEDIUM 5.3 npm
GHSA-2gcr-mfcq-wcc3 · CVE-2026-47676 Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Modified: 6/10/2026
MEDIUM 4.3 npm
GHSA-3hrh-pfw6-9m5x · CVE-2026-47675 Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Modified: 6/10/2026
MEDIUM 5.3 npm
GHSA-3mpf-rcc7-5347 · CVE-2024-32869 Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Modified: 3/23/2026
HIGH 8.2 npm
GHSA-3vhc-576x-3qv4 · CVE-2026-22818 Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
Modified: 2/4/2026
MEDIUM 4.3 npm
GHSA-458j-xx4x-4375 hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
Modified: 4/16/2026
MEDIUM 5.4 npm
GHSA-5pq2-9x2x-5p6w · CVE-2026-29086 Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Modified: 3/18/2026
MEDIUM 4.7 npm
GHSA-69xw-7hcm-h432 · CVE-2026-44455 hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
Modified: 5/14/2026
MEDIUM 5.3 npm
GHSA-6wqw-2p9w-4vw4 · CVE-2026-24472 Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
Modified: 2/10/2026
MEDIUM 5.3 npm
GHSA-92vj-g62v-jqhh · CVE-2025-59139 Hono has Body Limit Middleware Bypass
Modified: 3/23/2026
HIGH 7.5 npm
GHSA-9hp6-4448-45g2 · CVE-2025-58362 Hono's flaw in URL path parsing could cause path confusion
Modified: 9/5/2025
MEDIUM 4.7 npm
GHSA-9r54-q6cx-xmh5 · CVE-2026-24771 Hono vulnerable to XSS through ErrorBoundary component
Modified: 2/12/2026
MEDIUM 6.5 npm
GHSA-9vqf-7f2p-gf9v · CVE-2026-44456 Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
Modified: 5/14/2026
MEDIUM 4.8 npm
GHSA-f577-qrjj-4474 · CVE-2026-47673 Hono: JWT middleware accepts any Authorization scheme, not only Bearer
Modified: 6/10/2026
HIGH 8.2 npm
GHSA-f67f-6cw9-8mq4 · CVE-2026-22817 Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass
Modified: 2/4/2026
MEDIUM 4.2 npm
GHSA-f6gv-hh8j-q8vq · CVE-2023-50710 Named path parameters can be overridden in TrieRouter
Modified: 3/23/2026
LOW 3.7 npm
GHSA-gq3j-xvxp-8hrf Hono added timing comparison hardening in basicAuth and bearerAuth
Modified: 2/22/2026
LOW 3.8 npm
GHSA-hm8q-7f3q-5f36 · CVE-2026-44459 Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
Modified: 5/14/2026
HIGH 8.1 npm
GHSA-m732-5p4w-x69g · CVE-2025-62610 Hono Improper Authorization vulnerability
Modified: 3/23/2026
MEDIUM 6.5 npm
GHSA-p6xx-57qc-3wxr · CVE-2026-29085 Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
Modified: 3/18/2026
MEDIUM 5.3 npm
GHSA-p77w-8qqv-26rm · CVE-2026-44457 Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Modified: 5/14/2026
HIGH 7.5 npm
GHSA-q5qw-h33p-qvwr · CVE-2026-29045 Hono vulnerable to arbitrary file access via serveStatic vulnerability
Modified: 3/16/2026
MEDIUM 4.2 npm
GHSA-q7jf-gf43-6x6p Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
Modified: 11/27/2025
MEDIUM 4.3 npm
GHSA-qp7p-654g-cw7p · CVE-2026-44458 Hono has CSS Declaration Injection via Style Object Values in JSX SSR
Modified: 5/10/2026
MEDIUM 4.8 npm
GHSA-r354-f388-2fhh · CVE-2026-24398 Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
Modified: 2/12/2026
MEDIUM 4.8 npm
GHSA-r5rp-j6wh-rvv4 · CVE-2026-39410 Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
Modified: 4/9/2026
MEDIUM 5.0 npm
GHSA-rpfr-3m35-5vx5 · CVE-2024-43787 Hono CSRF middleware can be bypassed using crafted Content-Type header
Modified: 3/23/2026
MEDIUM 4.8 npm
GHSA-v8w9-8mx6-g223 Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })
Modified: 3/13/2026
MEDIUM 5.3 npm
GHSA-w332-q679-j88p · CVE-2026-24473 Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
Modified: 2/12/2026
MEDIUM 5.3 npm
GHSA-wmmm-f939-6g9c · CVE-2026-39407 Hono: Middleware bypass via repeated slashes in serveStatic
Modified: 4/9/2026
MEDIUM npm
GHSA-xf4j-xp2r-rqqx · CVE-2026-39408 Hono: Path traversal in toSSG() allows writing files outside the output directory
Modified: 4/9/2026
HIGH 8.2 npm
GHSA-xh87-mx6m-69f3 · CVE-2026-27700 Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Modified: 2/28/2026
MEDIUM 5.3 npm
GHSA-xpcf-pg52-r92g · CVE-2026-39409 Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
Modified: 5/5/2026
MEDIUM 5.3 npm
GHSA-xrhx-7g5j-rcj5 · CVE-2026-47674 Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
Modified: 6/10/2026