CVE-2026-39408

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.12

Description A path traversal issue in the toSSG() function allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. The static site generation process creates output files based on route paths derived from application routes and parameters. If the ssgParams values contain traversal sequences (e.g., ..), the resulting output path may resolve outside the configured output directory, potentially overwriting unintended files, affecting generated artifacts, or impacting deployment outputs.

Recommendations Update to version 4.12.12 or later.