CVE-2026-54286
MEDIUM EPSS 20.8%
Published Jun 22, 20261w ago · Modified Jun 23, 20261w ago
5.9 CVSS 3.1
Published Jun 22, 2026 1w ago
Last Modified Jun 23, 2026 1w ago
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
20.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-22 Path Traversal Resource Mgmt
References 1
- github.com https://github.com/honojs/hono/security/advisories/GHSA-wwfh-h76j-fc44
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.