cvedb.io
CVE-2026-56763
MEDIUM · CVSS 4.8
EPSS exploitation probability: 0%
Published 2026-07-11T14:16:22.080 · Last modified 2026-07-11T14:16:22.080

Summary

Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.