CVE-2026-44459

Published: Mag 13, 2026 Last Modified: Mag 13, 2026

ExploitDB:

Other exploit source:

Google Dorks:

LOW 3,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: high

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: low

Availability: none

Description

AI Translation Available

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.

1284

Improper Validation of Specified Quantity in Input

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Other Integrity Availability

Potential Impacts:

Varies By Context Dos: Resource Consumption (Cpu) Modify Memory Read Memory

Applicable Platforms

All platforms may be affected

View CWE Details

Application

Hono by Hono

Product Information

Vendor Hono

Product Hono

Version Range Affected

To 4.12.18 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/honojs/hono/security/advisories/GHSA-hm8…

https://github.com/honojs/hono/security/advisories/GHSA-hm8q-7f3q-5f36