Back to overview

CVE-2026-56763

MEDIUM
4.8
CVSS 3.1
Description
Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.

Metadata

CVE ID
CVE-2026-56763
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-22 21:55 UTC
Published
2026-07-11 13:00 UTC
Last updated
2026-07-11 13:00 UTC
Primary CWE
CWE-1321
Improperly Controlled Modification of Object Prototype Attri…
Vendor / Product
Hono / Hono
Sources
cve.org  ·  NVD

Severity & Metrics

4.8 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
Hono Hono 0 < 4.12.7, 4.12.7
Weakness (CWE)
CWESourceDescription
CWE-1321 cna Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
4.8 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
References (2)
Back to overview