Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package hono, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (36)
CVE-2026-22818 — CVSS 8.2 (high): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS…
CVE-2026-27700 — CVSS 8.2 (high): Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS…
CVE-2026-22817 — CVSS 8.2 (high): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS…
CVE-2025-62610 — CVSS 8.1 (high): Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT…
CVE-2025-58362 — CVSS 7.5 (high): Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the…
CVE-2026-39408 — CVSS 7.5 (high): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG()…
CVE-2026-29045 — CVSS 7.5 (high): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic…
CVE-2026-54290 — CVSS 7.1 (high): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no…
CVE-2026-29085 — CVSS 6.5 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in…
CVE-2026-54288 — CVSS 6.5 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts…
CVE-2026-44456 — CVSS 6.5 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably…
CVE-2026-54286 — CVSS 5.9 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded…
CVE-2024-48913 — CVSS 5.9 (medium): Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without…
CVE-2026-29086 — CVSS 5.4 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did…
CVE-2026-24473 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for…
CVE-2026-24472 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an…
CVE-2026-39407 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in…
CVE-2026-54287 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB…
CVE-2026-39409 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not…
CVE-2025-59139 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the `bodyLimit`…
CVE-2026-44457 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip…
CVE-2024-32869 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with…
CVE-2026-47674 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware…
CVE-2026-47676 — CVSS 5.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix…
CVE-2024-43787 — CVSS 5.0 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted…
CVE-2026-24398 — CVSS 4.8 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in…
CVE-2026-54289 — CVSS 4.8 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront…
CVE-2026-39410 — CVSS 4.8 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser…
CVE-2026-47673 — CVSS 4.8 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not…
CVE-2026-24771 — CVSS 4.7 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS)…
CVE-2026-44455 — CVSS 4.7 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element…
CVE-2026-56761 — CVSS 4.3 (medium): hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html…
CVE-2026-44458 — CVSS 4.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style…
CVE-2026-47675 — CVSS 4.3 (medium): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in…
CVE-2023-50710 — CVSS 4.2 (medium): Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous…
CVE-2026-44459 — CVSS 3.8 (low): Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT…