CVE-2026-47674

5.3 MEDIUM

Hono is a Web application framework that provides support for any JavaScript runtime

Published: 2026-05-28 · Last updated: 2026-05-29

Severity and scoring

CVSS: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-1289, CWE-185

Affected products

Vendor	Product
hono	hono

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-47674
[Vendor advisory]https://github.com/honojs/hono/security/advisories/GHSA-xrhx-7g5j-rcj5

Related CVEs

Same vendor

CVE-2026-47676 — Hono is a Web application framework that provides support for any JavaScript runtime (5.3 MEDIUM)
CVE-2026-47675 — Hono is a Web application framework that provides support for any JavaScript runtime (4.3 MEDIUM)
CVE-2026-47673 — Hono is a Web application framework that provides support for any JavaScript runtime (4.8 MEDIUM)

Same CWE

CVE-2026-42462 — Fedify is a TypeScript library for building federated server apps powered by ActivityPub (7.0 HIGH)
CVE-2026-49942 — Net::CIDR::Set versions through 0.20 for Perl did not validate network masks (7.3 HIGH)
CVE-2026-49940 — Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks (6.5 MEDIUM)
CVE-2026-48147 — Budibase is an open-source low-code platform (6.5 MEDIUM)
CVE-2026-39821 — The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label (9.6 CRITICAL)