Hono Support & Health

GHSA-2234-fmw7-43wr CVSS_V3

Hono allows bypass of CSRF Middleware by a request without Content-Type header.

Published: 2024-10-15 Fixed in: 4.6.5

GHSA-26pp-8wgv-hjvm CVSS_V3

Hono missing validation of cookie name on write path in setCookie()

Published: 2026-04-08 Fixed in: 4.12.12

GHSA-3mpf-rcc7-5347 CVSS_V3

Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

Published: 2024-04-23 Fixed in: 4.2.7

GHSA-3vhc-576x-3qv4 CVSS_V3

Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)

Published: 2026-01-13 Fixed in: 4.11.4

GHSA-458j-xx4x-4375 CVSS_V3

hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR

Published: 2026-04-16 Fixed in: 4.12.14

GHSA-5pq2-9x2x-5p6w CVSS_V3

Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Published: 2026-03-04 Fixed in: 4.12.4

GHSA-69xw-7hcm-h432 CVSS_V3

hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection

Published: 2026-05-06 Fixed in: 4.12.16

GHSA-6wqw-2p9w-4vw4 CVSS_V3

Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception

Published: 2026-01-27 Fixed in: 4.11.7

GHSA-92vj-g62v-jqhh CVSS_V3

Hono has Body Limit Middleware Bypass

Published: 2025-09-12 Fixed in: 4.9.7

GHSA-9hp6-4448-45g2 CVSS_V3

Hono's flaw in URL path parsing could cause path confusion

Published: 2025-09-03 Fixed in: 4.9.6

Hono