hono/jsx CVE-2026-44455
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 27 npm packages depend on hono (15 direct, 12 indirect)
Ecosystem-wide dependent count for version 4.12.16.
DescriptionGitHub Advisory
Summary
Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output.
When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML.
Details
When rendering JSX elements to HTML strings, attribute values are escaped and attribute names are validated. However, element tag names were previously inserted into the output without validation.
If a tag name contains characters such as <, >, quotes, or whitespace, it may alter the structure of the generated HTML.
For example, malformed tag names can:
- Break out of the intended element and introduce unintended HTML elements
- Inject attributes or event handlers into the rendered output
This issue arises when untrusted input (such as query parameters or database content) is used as JSX tag names via jsx() or createElement() during server-side rendering.
Impact
An attacker who can control tag names used in JSX rendering may inject unintended HTML into the generated output.
This may lead to:
- Injection of unexpected HTML elements or attributes
- Corruption of the HTML structure
- Cross-site scripting (XSS) when combined with unsafe usage patterns
This issue only affects applications that construct JSX tag names from untrusted input. Applications using static or allowlisted tag names are not affected.
AnalysisAI
HTML injection via unvalidated JSX tag names in hono allows attackers to inject arbitrary HTML elements and attributes when untrusted input is used as tag names during server-side rendering. The vulnerability affects hono versions prior to 4.12.16 when the jsx() or createElement() APIs process attacker-controlled tag names, potentially enabling XSS attacks. User interaction (rendering untrusted content) is required, and the issue is limited to applications that dynamically construct tag names from external sources rather than using static or allowlisted tags.
Technical ContextAI
hono is a lightweight web framework for JavaScript/TypeScript with built-in JSX support for server-side rendering. The vulnerability exists in the JSX-to-HTML transpilation layer (CWE-74: Improper Neutralization of Special Elements used in an Output). While attribute values and names undergo escaping and validation during HTML generation, tag names themselves were directly concatenated into the output HTML without sanitization. When a tag name contains metacharacters like angle brackets, quotes, or whitespace, it can alter the HTML document structure by prematurely closing tags or injecting new elements. The issue is specific to programmatic APIs (jsx() and createElement()) that accept dynamic tag names, not to JSX syntax parsing itself.
RemediationAI
Upgrade hono to version 4.12.16 or later immediately. Users can verify their installed version with npm list hono or check package-lock.json. If immediate upgrade is blocked, implement input validation by maintaining an allowlist of permitted tag names before passing them to jsx() or createElement() APIs-explicitly reject any dynamic tag name that is not in a predefined set of safe HTML elements (e.g., only permit 'div', 'span', 'p', 'a', etc.). Alternatively, refactor code to use static JSX syntax rather than programmatic APIs when rendering user-influenced content. Review application code for instances where tag names originate from query parameters, database fields, user input, or external APIs, and replace with static tags or strict validation. These workarounds have a functional trade-off: they reduce flexibility but eliminate the injection vector.
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-69xw-7hcm-h432