cvedb.io
CVE-2026-39410
MEDIUM · CVSS 4.8
EPSS exploitation probability: 0%
Published 2026-04-08T15:16:15.143 · Last modified 2026-06-17T10:42:04.263

Summary

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.

Affected products

hono — hono

Does this affect you?

Add your gear to cvedb and we'll alert you only when hono ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.