CVE-2026-47675

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.21

Description The serialize() function in hono/cookie fails to validate the sameSite and priority options against characters that can corrupt Set-Cookie header syntax, such as semicolons, carriage returns, and line feeds. While validation is applied to domain and path options, the lack of similar checks for these specific options allows an application passing user-controlled input to produce a Set-Cookie response header containing attacker-chosen additional attributes.

Recommendations Update to version 4.12.21.