CVE-2026-29086
Received Received - Intake
Cookie Injection Vulnerability in Hono setCookie() Utility

Publication date: 2026-03-04

Last updated on: 2026-03-06

Assigner: GitHub, Inc.

Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29086
EUVD
EUVD-2026-9508
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hono hono to 4.12.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1113 The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Hono web application framework prior to version 4.12.4, specifically in the setCookie() utility. This utility did not properly validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header.

Because cookie attributes are separated by semicolons, an attacker could inject additional cookie attributes if untrusted input was passed into these fields, potentially manipulating cookie behavior.

This issue was fixed in version 4.12.4 of Hono.

Impact Analysis

This vulnerability can lead to injection of additional cookie attributes by an attacker if untrusted input is passed into the domain or path options of the setCookie() utility.

Such injection could alter cookie behavior, potentially affecting the security and integrity of user sessions or data handled by the application.

The CVSS score of 5.4 indicates a moderate severity with potential impacts on confidentiality and integrity, but no impact on availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the Hono Web application framework to version 4.12.4 or later, where the issue with setCookie() utility has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart