CVE-2026-29086

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.4

Description The setCookie() utility did not properly validate semicolons (;), carriage returns (r), or newline characters ( ) in the domain and path options when creating the Set-Cookie header. Because cookie attributes are separated by semicolons, this could allow an attacker to inject additional cookie attributes if untrusted input is used in these fields. The issue stems from the interpolation of the domain and path options without rejecting unsafe characters. Including characters like ;, r, or could lead to unintended cookie attributes being added to the header, potentially affecting cookie scoping or security. Exploitation requires misuse of cookie options at the application level.

Recommendations Update to version 4.12.4 or later.