CVE Catalog

CVE-2026-54290

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

Hono is a web application framework that prior to version 4.12.25 had a vulnerability in the CORS middleware. With 'credentials: true' and no explicit origin, the middleware reflected the request's origin, allowing any site to make credentialed cross-origin requests.

Risk Assessment

This vulnerability exposed cookie-authenticated endpoints to access from arbitrary origins, potentially leading to unauthorized access to sensitive data.

Recommendation

It is recommended to update the Hono framework to version 4.12.25 or later to mitigate this vulnerability and to configure CORS with explicitly defined origins.

Original NVD description (English source)

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins. This vulnerability is fixed in 4.12.25.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS