CVE-2026-39410 MEDIUM

CVE-2026-39410: Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()

Vendor Honojs

Product hono

Weakness CWE-20 · Input validation

Published April 8, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.

Key dates

02Disclosure timeline

April 8, 2026 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-39410

Related vulnerabilities

CVE-2026-39410: Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()

01Description

02Disclosure timeline

03References

04Related CVE