{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-07T13:14:51.103","vulnerabilities":[{"cve":{"id":"CVE-2026-24398","sourceIdentifier":"security-advisories@github.com","published":"2026-01-27T19:16:16.363","lastModified":"2026-02-04T15:34:58.003","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue."},{"lang":"es","value":"Hono es un framework de aplicación web que proporciona soporte para cualquier entorno de ejecución de JavaScript. Antes de la versión 4.11.7, el Middleware de Restricción de IP en Hono es vulnerable a una omisión de validación de dirección IP. El patrón 'IPV4_REGEX' y la función 'convertIPv4ToBinary' en 'src/utils/ipaddr.ts' no validan correctamente que los valores de octeto IPv4 estén dentro del rango válido de 0-255, permitiendo a los atacantes crear direcciones IP malformadas que eluden los controles de acceso basados en IP. La versión 4.11.7 contiene un parche para el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-185"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*","versionEndExcluding":"4.11.7","matchCriteriaId":"D0406A9F-E15B-452E-940A-ABF25EEAA871"}]}]}],"references":[{"url":"https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/honojs/hono/releases/tag/v4.11.7","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}