| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-39408 | Hono has a path traversal in toSSG() allows writing files outside the output directory | honojs | hono | - | - | 2026-04-08 14:42:25 | Deep Dive |
| CVE-2026-29087 | @hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware | honojs | node-server | High | 7.5 | 2026-03-06 17:03:30 | Deep Dive |
| CVE-2026-29085 | Hono: SSE Control Field Injection via CR/LF in writeSSE() | honojs | hono | Medium | 6.5 | 2026-03-04 22:09:46 | Deep Dive |
| CVE-2026-29045 | Hono: Arbitrary file access via serveStatic vulnerability | honojs | hono | High | 7.5 | 2026-03-04 22:09:22 | Deep Dive |
| CVE-2026-29086 | Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie() | honojs | hono | Medium | 5.4 | 2026-03-04 22:09:01 | Deep Dive |
| CVE-2026-27700 | Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo | honojs | hono | High | 8.2 | 2026-02-25 15:01:45 | Deep Dive |
| CVE-2026-24771 | Hono has a Cross-site Scripting vulnerability | honojs | hono | Medium | 4.7 | 2026-01-27 19:41:34 | Deep Dive |
| CVE-2026-24473 | Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) | honojs | hono | - | - | 2026-01-27 19:37:52 | Deep Dive |
| CVE-2026-24472 | Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception | honojs | hono | Medium | 5.3 | 2026-01-27 19:34:33 | Deep Dive |
| CVE-2026-24398 | Hono's IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing | honojs | hono | Medium | 4.8 | 2026-01-27 19:06:43 | Deep Dive |
| CVE-2026-22817 | JWT Algorithm Confusion via Unsafe Default (HS256) in Hono JWT Middleware Allows Token Forgery and Auth Bypass | honojs | hono | High | 8.2 | 2026-01-13 19:49:55 | Deep Dive |
| CVE-2026-22818 | JWT algorithm confusion in Hono JWK Auth Middleware when JWK lacks "alg" (untrusted header.alg fallback) | honojs | hono | High | 8.2 | 2026-01-13 19:49:52 | Deep Dive |
| CVE-2025-62610 | Hono Improperly Authorizes JWT Audience Validation | honojs | hono | High | 8.1 | 2025-10-22 19:24:08 | Deep Dive |
| CVE-2025-59139 | Hono has Body Limit Middleware Bypass | honojs | hono | Medium | 5.3 | 2025-09-12 13:03:06 | Deep Dive |
| CVE-2025-58362 | Hono contains a flaw in URL path parsing, potentially leading to path confusion | honojs | hono | High | 7.5 | 2025-09-04 23:56:14 | Deep Dive |
| CVE-2024-48913 | Hono vulnerable to bypass of CSRF Middleware by a request without Content-Type header. | honojs | hono | Medium | 5.9 | 2024-10-15 15:56:14 | Deep Dive |
| CVE-2024-43787 | Hono CSRF middleware can be bypassed using crafted Content-Type header | honojs | hono | Medium | 5.0 | 2024-08-22 14:23:44 | Deep Dive |
| CVE-2024-32869 | Hono vulnerable to Restricted Directory Traversal in serveStatic with deno | honojs | hono | Medium | 5.3 | 2024-04-23 20:20:45 | Deep Dive |
| CVE-2024-32652 | @hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed | honojs | node-server | High | 7.5 | 2024-04-19 18:29:43 | Deep Dive |
| CVE-2024-23340 | @hono/node-server can't handle "double dots" in URL | honojs | node-server | Medium | 5.3 | 2024-01-22 23:00:35 | Deep Dive |