CVE-2026-39406

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.

Vulnerability Details

Published Date

April 08, 2026

Last Modified

April 08, 2026

CWE ID

CWE-22

Source

GitHub

Vendor

npm

Product

@hono/node-server

External References

https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m
https://github.com/honojs/node-server/commit/025c30f55d589ddbe6048b151d77e904f67a8cc2
https://github.com/honojs/node-server/releases/tag/v1.19.13
https://github.com/advisories/GHSA-92pp-h63x-v22m

CVE-2026-39406

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment