CVE-2026-54286
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
In Hono framework before version 4.12.25 on Windows hosts, an encoded backslash (%5C) in the request path decodes to a separator, allowing an attacker to read static files protected by prefix-mounted middleware.
Risk Assessment
An attacker can bypass middleware protections and access sensitive static files, such as configuration or credential files, leading to information disclosure.
Recommendation
Immediately update Hono framework to version 4.12.25 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.

