Server-side Rendering Context Leakage in Hono Framework by Hono
CVE-2026-59896

6.5MEDIUM

Key Information:

Vendor

Honojs

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59896?

The Hono framework, known for supporting various JavaScript runtimes, has a vulnerability where context values are not properly isolated during server-side rendering. This flaw allows data from one request to bleed into another, potentially exposing sensitive data or misrepresenting the application's state. The issue arises specifically with the createContext, useContext, and similar APIs, which could lead to incorrect behavior in async components. The vulnerability impacts versions from 4.11.8 to 4.12.26 and has been resolved in version 4.12.27.

Affected Version(s)

hono >= 4.11.8, < 4.12.27

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.