CVE Catalog

CVE-2026-54286

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile — higher than 21% of all known CVEs

Summary

In Hono framework before version 4.12.25 on Windows hosts, an encoded backslash (%5C) in the request path decodes to a separator, allowing an attacker to read static files protected by prefix-mounted middleware.

Risk Assessment

An attacker can bypass middleware protections and access sensitive static files, such as configuration or credential files, leading to information disclosure.

Recommendation

Immediately update Hono framework to version 4.12.25 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS