CVE-2026-54286
Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.
INFO
Published Date :
June 22, 2026, 5:14 p.m.
Last Modified :
June 22, 2026, 5:14 p.m.
Remotely Exploit :
Yes !
Source :
GitHub_M
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | MITRE-CVE |
Solution
- Update Hono to version 4.12.25 or later.
- Verify the application uses the updated version.
- Review access controls for sensitive files.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-54286 vulnerability anywhere in the article.