What is CVE-2026-39406?

CVE-2026-39406 is a medium-severity vulnerability in Honojs Node-server, classified under Path Traversal. CVSS score: 5.3/10. Published 2026-04-08.

How severe is CVE-2026-39406?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Path Traversal in Honojs Node-server

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-ba…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (5.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Honojs Node-server — versions < 1.19.13

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/honojs/node-server/security/advisories/GHSA-92pp-h63x-v22m (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-39406?: CVE-2026-39406 is a medium-severity vulnerability in Honojs Node-server, classified under Path Traversal. CVSS score: 5.3/10. Published 2026-04-08.
How severe is CVE-2026-39406?: Medium severity. CVSS v3 base score is 5.3 out of 10.