Path Traversal in Honojs Hono

CVE-2026-39408

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. Whe…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (4.4th percentile) — read the EPSS interpretation.

Affected products

Honojs Hono — versions < 4.12.12

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx (x_refsource_CONFIRM)
https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679 (x_refsource_MISC)
https://github.com/honojs/hono/releases/tag/v4.12.12 (x_refsource_MISC)