Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue.
Published: 2026-01-27
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that can execute arbitrary scripts in the victim’s browser
Action: Immediate Patch
AI Analysis

Impact

A Cross‑Site Scripting flaw exists in the ErrorBoundary component of the Hono JavaScript framework. When certain user‑controlled strings reach this component, they can be rendered directly as raw HTML, which allows an attacker to inject and execute arbitrary code in the browser of a victim viewing the page. The flaw permits arbitrary script execution in the victim’s browser when malicious input reaches the component.

Affected Systems

Developers deploying the Hono framework on JavaScript runtimes are affected. The flaw appears in all releases prior to version 4.11.7 of the Hono library. Updating to 4.11.7 or newer removes the vulnerability.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the field. The flaw is not currently listed in the CISA KEV catalog. Exploitation would likely involve submitting crafted input that reaches the ErrorBoundary component, which then renders it as raw HTML in the client’s browser.

Generated by OpenCVE AI on April 18, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hono to version 4.11.7 or later to eliminate the flawed component
  • Ensure that any dynamic content passed to the ErrorBoundary component is properly escaped or sanitized before rendering
  • Adopt a defense‑in‑depth strategy that includes input validation, output encoding, and strict content‑security policies to mitigate similar flaws

Generated by OpenCVE AI on April 18, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9r54-q6cx-xmh5 Hono vulnerable to XSS through ErrorBoundary component
History

Wed, 04 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
Vendors & Products Hono
Hono hono

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue.
Title Hono has a Cross-site Scripting vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T20:51:54.145Z

Reserved: 2026-01-26T21:06:47.868Z

Link: CVE-2026-24771

cve-icon Vulnrichment

Updated: 2026-01-27T20:36:07.623Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T20:16:24.337

Modified: 2026-02-04T15:28:20.403

Link: CVE-2026-24771

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses