CVE-2026-39408: Hono: Path traversal in toSSG() allows writing files outside the output directory

April 8, 2026

A path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory.

References

github.com/advisories/GHSA-xf4j-xp2r-rqqx
github.com/honojs/hono
github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679
github.com/honojs/hono/releases/tag/v4.12.12
github.com/honojs/hono/security/advisories/GHSA-xf4j-xp2r-rqqx
nvd.nist.gov/vuln/detail/CVE-2026-39408

Code Behaviors & Features

Detect and mitigate CVE-2026-39408 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →