Skip to content

CVE-2026-56762

is CVE-2026-56762real, exploitable, or a false positive? Here's the community verdict.

☆ Watch
Medium · CVSS 5.3CWE-113

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie header values. In modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and cause a runtime error before the response is sent, so header injection or response splitting could not be reproduced; the issue primarily affects correctness and robustness, resulting in runtime errors (availability) rather than confirmed header injection.

References

NVD MITRE CVE.org

Published

Embed this verdict
TruePositive verdict for CVE-2026-56762
Markdown
[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-56762/badge.svg)](https://www.truepositive.app/cve/CVE-2026-56762)
HTML
<a href="https://www.truepositive.app/cve/CVE-2026-56762"><img src="https://www.truepositive.app/cve/CVE-2026-56762/badge.svg" alt="TruePositive verdict for CVE-2026-56762"></a>

Live badge that updates automatically as the community verdict changes.

Community ground truth

In your experience, is this finding real and exploitable?

0 verdicts
Not a real issue

No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.

Field notes & remediation

Verdicts are the quick signal. Notes are the evidence and fixes behind them.

No notes yet. Be the first to share what you saw, or a fix that worked.

    Add a field note or remediationoptional
    Note type

    What are you adding?

    Markdown supported · minimum 20 characters.