CVE-2026-39407

low-risk

Published 2026-04-08

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Hono

Affected Vendors

Hono

References (3)

Patch https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c

Release Notes https://github.com/honojs/hono/releases/tag/v4.12.12

Vendor Advisory https://github.com/honojs/hono/security/advisories/GHSA-wmmm-f939-6g9c

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal