CVE-2026-39408
Published: 08 April 2026
Summary
CVE-2026-39408 is a high-severity Path Traversal (CWE-22) vulnerability in Hono Hono. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation by upgrading to Hono 4.12.12 or later, which fixes the path traversal vulnerability in the toSSG() function.
Validates dynamic route parameters in ssgParams to reject path traversal payloads like '../', preventing generated file paths from escaping the output directory.
Enforces access control policies to restrict file write operations to only the configured output directory, mitigating unauthorized writes via path traversal.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote, unauthenticated path traversal in a public-facing web application framework (Hono) that allows arbitrary file writes outside intended directories during SSG, directly enabling exploitation of public-facing applications for initial access and unauthorized file operations on the server.
NVD Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route…
more
parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12.
Deeper analysisAI
CVE-2026-39408 is a path traversal vulnerability (CWE-22) in the Hono web application framework, which supports any JavaScript runtime. In versions prior to 4.12.12, the toSSG() function mishandles dynamic route parameters provided via ssgParams during static site generation (SSG). This allows specially crafted parameter values to generate file paths that escape the configured output directory, enabling files to be written outside the intended location. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
The vulnerability can be exploited by remote attackers with network access and no required privileges or user interaction. Exploitation requires the use of dynamic route parameters in ssgParams during SSG processes, where an attacker supplies malicious path traversal payloads (e.g., sequences like "../") to direct file writes beyond the output directory boundaries. Successful exploitation allows attackers to write files to unauthorized locations on the server, potentially leading to unauthorized access to sensitive data as reflected in the high confidentiality impact score.
Mitigation is available in Hono version 4.12.12, which addresses the issue through changes detailed in the project's GitHub commit b470278920fffcfd6d76002755d6db53db827679. Security practitioners should upgrade to this version or later. Additional details are provided in the official release notes at https://github.com/honojs/hono/releases/tag/v4.12.12 and the security advisory at https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx.
Details
- CWE(s)