CVE-2026-47676— Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47676
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
Source: NVD (National Vulnerability Database)
Vulnerability Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTP请求的解释不一致性(HTTP请求私运)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Hono 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Hono是Hono社区的一个用 TypeScript 编写的 Web 框架。 Hono 4.12.21之前版本存在安全漏洞,该漏洞源于app.mount()使用原始URL路径名去除挂载前缀,而路由匹配针对百分比解码路径执行,导致当路径包含百分比编码的多字节字符时前缀被错误去除,使挂载的子应用程序接收到错误路径。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-47676
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47676
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-47676 (1)
Same Patch Batch · honojs · 2026-05-28 · 4 CVEs total
| CVE-2026-47674 | 5.3 MEDIUM | Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 |
| CVE-2026-47673 | 4.8 MEDIUM | Hono: JWT middleware accepts any Authorization scheme, not only Bearer |
| CVE-2026-47675 | 4.3 MEDIUM | Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection |
IV. Related Vulnerabilities
Same product: hono
- CVE-2026-47673
Hono: JWT middleware accepts any Authorization scheme, not o - CVE-2026-47674
Hono: IP Restriction bypasses static deny rules for non-cano - CVE-2026-47675
Hono: Cookie helper does not sanitize sameSite and priority, - CVE-2026-44459
Hono: Improper validation of NumericDate claims (exp, nbf, i - CVE-2026-44458
Hono: CSS Declaration Injection via Style Object Values in J
Same vendor: honojs
- CVE-2026-47673
Hono: JWT middleware accepts any Authorization scheme, not o - CVE-2026-47674
Hono: IP Restriction bypasses static deny rules for non-cano - CVE-2026-47675
Hono: Cookie helper does not sanitize sameSite and priority, - CVE-2026-44459
Hono: Improper validation of NumericDate claims (exp, nbf, i - CVE-2026-44458
Hono: CSS Declaration Injection via Style Object Values in J
Same weakness: CWE-444
- CVE-2026-6324
Libsoup: libsoup: http request smuggling via unsigned to sig - CVE-2026-48710
Starlette has missing Host header validation that poisons re - CVE-2026-8620
IBM WebSphere Application Server and WebSphere Application S - CVE-2026-42585
Netty: HTTP Request Smuggling due to malformed Transfer-Enco - CVE-2026-42584
Netty: HttpClientCodec response desynchronization
V. Comments for CVE-2026-47676
No comments yet