HIGH8.2CVE-2026-27700Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo >= 4.12.0, < 4.12.2
HIGH8.2CVE-2026-22818Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback) from 0, < 4.11.4
HIGH8.2CVE-2026-22817Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass from 0, < 4.11.4
HIGH8.1Hono Improper Authorization vulnerability
>= 1.1.0, < 4.10.2
HIGH7.5Hono vulnerable to arbitrary file access via serveStatic vulnerability
from 0, < 4.12.4
HIGH7.5Hono's flaw in URL path parsing could cause path confusion
>= 4.8.0, < 4.9.6
MEDIUM6.5Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
from 0, < 4.12.16
MEDIUM6.5Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
from 0, < 4.12.4
MEDIUM5.9Hono allows bypass of CSRF Middleware by a request without Content-Type header.
from 0, < 4.6.5
MEDIUM5.4Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
from 0, < 4.12.4
MEDIUM5.3Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
from 0, < 4.12.21
MEDIUM5.3Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
from 0, < 4.12.21
MEDIUM5.3Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
from 0, < 4.12.18
MEDIUM5.3Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
from 0, < 4.12.12
MEDIUM5.3Hono: Middleware bypass via repeated slashes in serveStatic
from 0, < 4.12.12
MEDIUM5.3Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
from 0, < 4.11.7
MEDIUM5.3Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
from 0, < 4.11.7
MEDIUM5.3Hono has Body Limit Middleware Bypass
from 0, < 4.9.7
MEDIUM5.3Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
from 0, < 4.2.7
MEDIUM5.0Hono CSRF middleware can be bypassed using crafted Content-Type header
from 0, < 4.5.8
MEDIUM4.8Hono: JWT middleware accepts any Authorization scheme, not only Bearer
from 0, < 4.12.21
MEDIUM4.8Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
from 0, < 4.12.12
MEDIUM4.8Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
from 0, < 4.11.7
MEDIUM4.7hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
from 0, < 4.12.16
MEDIUM4.7Hono vulnerable to XSS through ErrorBoundary component
from 0, < 4.11.7
MEDIUM4.3Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
from 0, < 4.12.21
MEDIUM4.3Hono has CSS Declaration Injection via Style Object Values in JSX SSR
from 0, < 4.12.18
MEDIUM4.2Named path parameters can be overridden in TrieRouter
from 0, < 3.11.7
LOW3.8Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
from 0, < 4.12.18
—Hono: Path traversal in toSSG() allows writing files outside the output directory
>= 4.0.0, < 4.12.12