docs: add CHANGELOG entries for CVE-2026-44455, 44456, 44458

Consolidates SOU-1068, SOU-1069, SOU-1071 into this PR (already addressing
SOU-1070 / CVE-2026-44457). Same hono 4.12.14 -> 4.12.18 bump fixes all four.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: brendan-kellam

CHANGELOG.md

@@ -12,7 +12,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178)
 - Bumped transitive `fast-uri` dependency to `^3.1.2`. [#1181](https://github.com/sourcebot-dev/sourcebot/pull/1181)
 - Upgraded `simple-git` to `3.36.0` to address CVE-2026-6951. [#1183](https://github.com/sourcebot-dev/sourcebot/pull/1183)
+- Upgraded `hono` to `^4.12.18` to address CVE-2026-44455. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
+- Upgraded `hono` to `^4.12.18` to address CVE-2026-44456. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
 - Upgraded `hono` to `^4.12.18` to address CVE-2026-44457. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
+- Upgraded `hono` to `^4.12.18` to address CVE-2026-44458. [#1186](https://github.com/sourcebot-dev/sourcebot/pull/1186)
 
 ### Changed
 - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179)