SCA: security update for hono (GHSA-3vhc-576x-3qv4)

medium Tenable Self-Hosted Container Security Plugin ID 436737

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4,
there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT
header to influence signature verification when the selected JWK did not explicitly define an algorithm.
This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be
accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of
asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm
from untrusted JWT header values. This vulnerability is fixed in 4.11.4. (CVE-2026-22818)

See Also

https://github.com/advisories/GHSA-3vhc-576x-3qv4

Plugin Details

Severity: Medium

ID: 436737

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/14/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.71

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-22818

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/13/2026

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2026-22818

cwe: CWE-347