Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16.
Published: 2026-05-13
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Hono allows unvalidated JSX element tag names to be injected directly into the server‑side rendered HTML. When an attacker supplies crafted values to the jsx() or createElement() APIs, the generated markup may escape the intended element context, resulting in arbitrary HTML injection. This flaw is a typical input validation issue (CWE‑74) and could be exploited to perform cross‑site scripting or other injection attacks against users of the web application.

Affected Systems

The affected product is the Hono web application framework (honojs:hono). All releases before version 4.12.16 are vulnerable; the issue was addressed in the 4.12.16 release and later.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate severity, and the EPSS score is not available, suggesting no current exploit data. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is server‑side rendering where untrusted input is used to create JSX tag names; no special privileges or network exploits are required beyond providing input to the application.

Generated by OpenCVE AI on May 13, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hono framework to version 4.12.16 or later.
  • Validate or sanitize any untrusted input that is used as a JSX tag name and restrict tag names to a predetermined whitelist.
  • Review all server‑side rendered JSX usage in the application and ensure that no external data is passed to the jsx() or createElement() APIs without prior validation.

Generated by OpenCVE AI on May 13, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-69xw-7hcm-h432 hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Hono
Hono hono
CPEs cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*
Vendors & Products Hono
Hono hono

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16.
Title Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Hono Hono
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T13:46:11.630Z

Reserved: 2026-05-06T15:49:25.192Z

Link: CVE-2026-44455

cve-icon Vulnrichment

Updated: 2026-05-14T13:46:07.248Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:57.433

Modified: 2026-05-13T18:35:24.373

Link: CVE-2026-44455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses