Path Traversal Vulnerability in Hono Web Application Framework by Hono
CVE-2026-39408

5.9MEDIUM

Key Information:

Vendor

Honojs

Status
Hono
Vendor
CVE Published:
8 April 2026

What is CVE-2026-39408?

The Hono Web application framework, utilized for JavaScript runtime environments, has a vulnerability related to path traversal in its toSSG() function. This flaw allows unauthorized file writes outside the designated output directory during static site generation. By providing specially crafted dynamic route parameters, attackers can create file paths that bypass the output directory restrictions, potentially compromising the integrity of the application's file system. The issue has been addressed in version 4.12.12.

Affected Version(s)

hono < 4.12.12

References

https://github.com/honojs/hono/security/advisories/GHSA-x...
x_refsource_CONFIRM
https://github.com/honojs/hono/commit/b470278920fffcfd6d7...
x_refsource_MISC
https://github.com/honojs/hono/releases/tag/v4.12.12
x_refsource_MISC

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.