CVE-2026-54290
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
Hono is a web application framework that prior to version 4.12.25 had a vulnerability in the CORS middleware. With 'credentials: true' and no explicit origin, the middleware reflected the request's origin, allowing any site to make credentialed cross-origin requests.
Risk Assessment
This vulnerability exposed cookie-authenticated endpoints to access from arbitrary origins, potentially leading to unauthorized access to sensitive data.
Recommendation
It is recommended to update the Hono framework to version 4.12.25 or later to mitigate this vulnerability and to configure CORS with explicitly defined origins.
Original NVD description (English source)
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins. This vulnerability is fixed in 4.12.25.

