CVE-2026-44459

LOW SEVERITY

CVSS Score & Metrics

Base Score

3.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N                                    

Vulnerability Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.

Vulnerability Details

Published Date

May 09, 2026

Last Modified

May 13, 2026

CWE ID

CWE-1284

Source

GitHub

Vendor

npm

Product

hono

External References

https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36
https://github.com/advisories/GHSA-hm8q-7f3q-5f36

CVE-2026-44459

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment