{"api_version":"1","generated_at":"2026-05-29T16:24:32+00:00","cve":"CVE-2026-47676","urls":{"html":"https://cve.report/CVE-2026-47676","api":"https://cve.report/api/cve/CVE-2026-47676.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-47676","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-47676"},"summary":{"title":"Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths","description":"Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-05-28 17:16:32","updated_at":"2026-05-29 15:39:51"},"problem_types":["CWE-444","CWE-693","CWE-444 CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","CWE-693 CWE-693: Protection Mechanism Failure"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/honojs/hono/security/advisories/GHSA-2gcr-mfcq-wcc3","name":"https://github.com/honojs/hono/security/advisories/GHSA-2gcr-mfcq-wcc3","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-47676","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47676","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"honojs","product":"hono","version":"affected < 4.12.21","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-47676","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-28T19:12:23.714948Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-28T19:13:28.934Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"hono","vendor":"honojs","versions":[{"status":"affected","version":"< 4.12.21"}]}],"descriptions":[{"lang":"en","value":"Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-444","description":"CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-693","description":"CWE-693: Protection Mechanism Failure","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-28T15:26:01.672Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/honojs/hono/security/advisories/GHSA-2gcr-mfcq-wcc3","tags":["x_refsource_CONFIRM"],"url":"https://github.com/honojs/hono/security/advisories/GHSA-2gcr-mfcq-wcc3"}],"source":{"advisory":"GHSA-2gcr-mfcq-wcc3","discovery":"UNKNOWN"},"title":"Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-47676","datePublished":"2026-05-28T15:26:01.672Z","dateReserved":"2026-05-19T21:10:38.798Z","dateUpdated":"2026-05-28T19:13:28.934Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-28 17:16:32","lastModifiedDate":"2026-05-29 15:39:51","problem_types":["CWE-444","CWE-693","CWE-444 CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","CWE-693 CWE-693: Protection Mechanism Failure"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"47676","Ordinal":"1","Title":"Hono: app.mount() strips mount prefix using undecoded path, caus","CVE":"CVE-2026-47676","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"47676","Ordinal":"1","NoteData":"Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21.","Type":"Description","Title":"Hono: app.mount() strips mount prefix using undecoded path, caus"}]}}}