Ghostwire

CVE-2026-56763: Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field...

MEDIUM CVSS 4.8 Exploit Available

Published: July 11, 2026 | Last Modified: July 11, 2026

Description

Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

References