CVE-2026-47676 | THREATINT

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.

PUBLISHED Reserved 2026-05-19 | Published 2026-05-28 | Updated 2026-05-28 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-693: Protection Mechanism Failure

Product status

< 4.12.21

affected

References

github.com/...s/hono/security/advisories/GHSA-2gcr-mfcq-wcc3

cve.org (CVE-2026-47676)

nvd.nist.gov (CVE-2026-47676)

Download JSON