Package impact

npm / hono

CVE	Severity	CVSS	Risk	Published	Description
CVE-2026-47673	medium	6.5	6.5	8d ago	Hono: JWT middleware accepts any Authorization scheme, not only Bearer
CVE-2026-44456	medium	6.5	6.5	23d ago	Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
CVE-2026-44455	medium	6.1	6.1	23d ago	hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
CVE-2026-47676	medium	5.3	5.3	8d ago	Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
CVE-2026-47675	medium	5.3	5.3	8d ago	Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
CVE-2026-47674	medium	5.3	5.3	8d ago	Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
CVE-2026-44457	medium	5.3	5.3	23d ago	Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
CVE-2026-44458	medium	4.3	4.3	23d ago	Hono has CSS Declaration Injection via Style Object Values in JSX SSR
CVE-2026-44459	low	3.8	3.8	23d ago	Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()