CVE-2026-29086

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073	Patch
https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

History

06 Mar 2026, 18:00

Type	Values Removed	Values Added
References	~~() https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073 -~~	() https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073 - Patch
References	~~() https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w -~~	() https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w - Vendor Advisory
First Time		Hono hono Hono
CWE		NVD-CWE-Other
CPE		cpe:2.3:a:hono:hono::::::node.js::*

04 Mar 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-04 23:16

Updated : 2026-03-06 18:00

NVD link : CVE-2026-29086

Mitre link : CVE-2026-29086

CVE.ORG link : CVE-2026-29086

JSON object : View

Products Affected

hono

hono

CWE

CWE-1113

Inappropriate Comment Style

NVD-CWE-Other

5.4 /10