Cookie Injection Vulnerability in Hono Web Framework
CVE-2026-29086

5.4MEDIUM

Key Information:

Vendor: Honojs
Status: Hono
Vendor: CVE Published:; 4 March 2026

What is CVE-2026-29086?

The Hono Web application framework, which supports various JavaScript runtimes, has a vulnerability in its setCookie() utility. Versions before 4.12.4 fail to properly validate semicolons, carriage returns, and newline characters in the domain and path options. This oversight permits attackers to inject additional cookie attributes through untrusted input, jeopardizing the integrity of the web application's session management and potentially leading to security breaches. Users are advised to upgrade to version 4.12.4 or later to mitigate this issue.

Affected Version(s)

hono < 4.12.4

References

https://github.com/honojs/hono/security/advisories/GHSA-5...

x_refsource_CONFIRM

https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed5...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-29086 Data

JSON

Honojs

What is CVE-2026-29086?

Affected Version(s)

References

CVSS V3.1

Timeline