What is the CVSS score of CVE-2026-39407?

CVE-2026-39407 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.1%.

Is there a patch available for CVE-2026-39407?

Yes, a patch is available for CVE-2026-39407. Update the affected software to the latest version immediately.

CVE-2026-39407

EUVD-2026-20493 MEDIUM

Path Traversal (CWE-22)

2026-04-08 https://github.com/honojs/hono

GHSA-wmmm-f939-6g9c

Authentication Bypass Path Traversal

5.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 08, 2026 - 00:30 euvd

EUVD-2026-20493

Analysis Generated

Apr 08, 2026 - 00:30 vuln.today

Patch released

Apr 08, 2026 - 00:30 nvd

Patch available

CVE Published

Apr 08, 2026 - 00:16 nvd

MEDIUM 5.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

54 npm packages depend on hono (43 direct, 11 indirect)

Ecosystem-wide dependent count for version 4.12.12.

DescriptionNVD

Summary

A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path.

When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass.

Details

The routing layer and serveStatic handle repeated slashes differently.

For example:

/admin/secret.txt => matches /admin/*
/admin//secret.txt => may not match /admin/*

However, serveStatic may interpret both paths as the same file location (e.g., admin/secret.txt) and return the file.

This inconsistency allows a request such as:

GET //admin/secret.txt

to bypass middleware registered on /admin/* and access protected files.

The issue has been fixed by rejecting paths that contain repeated slashes, ensuring consistent behavior between route matching and static file resolution.

Impact

An attacker can access static files that are intended to be protected by route-based middleware by using repeated slashes in the request path.

This can lead to unauthorized access to sensitive files under the static root.

This issue affects applications that rely on serveStatic together with route-based middleware for access control.

AnalysisAI

Middleware bypass in Hono's serveStatic allows unauthenticated remote attackers to access protected static files by using repeated slashes in request paths, exploiting inconsistent path handling between the routing layer and static file resolution. The vulnerability affects Hono applications that rely on route-based middleware for access control, enabling unauthorized disclosure of sensitive files. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39407 vulnerability details – vuln.today

Back

CVE-2026-39407

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Summary

Details

Impact

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code