{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39408", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.594Z", "datePublished": "2026-04-08T14:42:25.357Z", "dateUpdated": "2026-04-10T20:31:47.508Z"}, "containers": {"cna": {"title": "Hono has a path traversal in toSSG() allows writing files outside the output directory", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx"}, {"name": "https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679"}, {"name": "https://github.com/honojs/hono/releases/tag/v4.12.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12"}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"version": "< 4.12.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:42:25.357Z"}, "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12."}], "source": {"advisory": "GHSA-xf4j-xp2r-rqqx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:31:12.971142Z", "id": "CVE-2026-39408", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:31:47.508Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39408", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T20:31:12.971142Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:31:42.427Z"}}], "cna": {"title": "Hono has a path traversal in toSSG() allows writing files outside the output directory", "source": {"advisory": "GHSA-xf4j-xp2r-rqqx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"status": "affected", "version": "< 4.12.12"}]}], "references": [{"url": "https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx", "name": "https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679", "name": "https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/honojs/hono/releases/tag/v4.12.12", "name": "https://github.com/honojs/hono/releases/tag/v4.12.12", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T14:42:25.357Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39408", "state": "PUBLISHED", "dateUpdated": "2026-04-10T20:31:47.508Z", "dateReserved": "2026-04-07T00:23:30.594Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T14:42:25.357Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BF072C76-4755-4D73-ABA0-94EA89D05799", "versionEndIncluding": "4.12.11", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12."}], "id": "CVE-2026-39408", "lastModified": "2026-04-21T18:31:11.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T15:16:14.823", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/honojs/hono/releases/tag/v4.12.12"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.12.12)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "hono", "source": "cna", "vendor": "honojs"}, "product": "hono", "vendor": "hono"}], "analysis": {"en": {"generated_at": "2026-04-08T17:21:00.193540+00:00", "value": {"mitigation_remediation": ["Upgrade Hono to version 4.12.12 or newer to eliminate the path traversal flaw."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "Any installation of Hono older than version 4.12.12 is affected, regardless of the JavaScript runtime used. The defect is present in all builds that invoke the toSSG function with user-controllable ssgParams until the patch is applied.", "description_and_impact": "The flaw resides in the toSSG function of the Hono web framework, where a path traversal bug permits specially crafted dynamic route parameters to escape the intended output directory during static site generation. This allows an attacker to write files anywhere on the build machine, potentially overwriting configuration files or injecting malicious content into the generated site.", "risk_and_exploitability": "The vulnerability carries a moderate severity score of 5.9. Exploitation requires the attacker to influence the static site generation parameters, which is typically possible only during site build or deployment. No public exploits are recorded and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Successful exploitation would allow a compromise of the build environment\u2019s file system but does not provide remote code execution beyond file write capabilities."}}}}, "created": "2026-04-08T19:39:13.392187+00:00", "updated": "2026-04-09T08:18:48.158286+00:00", "vendors": ["hono", "hono$PRODUCT$hono"]}