CVE-2026-54286

MEDIUM EPSS 20.8%
Published Jun 22, 20261w ago · Modified Jun 23, 20261w ago
5.9 CVSS 3.1
Medium
Find Similar
Published Jun 22, 2026 1w ago
Last Modified Jun 23, 2026 1w ago

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.

CVSS Details

Base Score
5.9
Exploitability
2.2
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
20.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

References 1

  • github.com https://github.com/honojs/hono/security/advisories/GHSA-wwfh-h76j-fc44

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.