What is CVE-2026-29085?

CVE-2026-29085 is a medium-severity vulnerability in Honojs Hono, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 6.5/10. Published 2026-03-04.

How severe is CVE-2026-29085?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Vulnerability in Honojs Hono

CVE-2026-29085

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newli…

EPSS: 0.001 (19.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.

Affected products

Honojs Hono — versions < 4.12.4

Weakness classification (CWE)

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

References

https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr (x_refsource_CONFIRM)
https://github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-29085?: CVE-2026-29085 is a medium-severity vulnerability in Honojs Hono, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 6.5/10. Published 2026-03-04.
How severe is CVE-2026-29085?: Medium severity. CVSS v3 base score is 6.5 out of 10.