Live data from GitHub and npm, updated daily.
Data last fetched: 2026-06-29
10 active CVEs reported via OSV.dev
Hono allows bypass of CSRF Middleware by a request without Content-Type header.
Hono missing validation of cookie name on write path in setCookie()
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
Get SLA-backed support, security patches, and direct access to senior engineers for Hono — without relying on volunteer maintainers.