CVE-2026-54286
Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.
| CWE | CWE-22 |
| Vendor | honojs |
| Product | hono |
| Published | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for honojs hono
Be the first to know when new medium vulnerabilities affecting honojs hono are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
honojs / hono
< 4.12.25