Vulnerability DatabaseCVE-2026-47674
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-47674
Published:May 28, 2026
Updated:June 13, 2026
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.
Affected Packages
hono (NPM):
Affected version(s) >=0.0.1 <4.12.21
Fix Suggestion:
Update to version 4.12.21
Related Resources (5)
https://nvd.nist.gov/vuln/detail/CVE-2026-47674
https://github.com/honojs/hono/releases/tag/v4.12.21
https://github.com/honojs/hono/commit/c831020fb1fa2e929d222f6c84e1abfe013e512b
https://github.com/honojs/hono
https://github.com/honojs/hono/security/advisories/GHSA-xrhx-7g5j-rcj5
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Validation of Unsafe Equivalence in Input
CWE-1289
Incorrect Regular Expression
CWE-185
EPSS
Base Score:
0.10