Skip to main content

hono/jsx CVE-2026-44455

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-06 https://github.com/honojs/hono GHSA-69xw-7hcm-h432
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 00:15 vuln.today
Analysis Generated
May 07, 2026 - 00:15 vuln.today
CVE Published
May 06, 2026 - 23:49 nvd
MEDIUM 4.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 27 npm packages depend on hono (15 direct, 12 indirect)

Ecosystem-wide dependent count for version 4.12.16.

DescriptionGitHub Advisory

Summary

Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output.

When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML.

Details

When rendering JSX elements to HTML strings, attribute values are escaped and attribute names are validated. However, element tag names were previously inserted into the output without validation.

If a tag name contains characters such as <, >, quotes, or whitespace, it may alter the structure of the generated HTML.

For example, malformed tag names can:

  • Break out of the intended element and introduce unintended HTML elements
  • Inject attributes or event handlers into the rendered output

This issue arises when untrusted input (such as query parameters or database content) is used as JSX tag names via jsx() or createElement() during server-side rendering.

Impact

An attacker who can control tag names used in JSX rendering may inject unintended HTML into the generated output.

This may lead to:

  • Injection of unexpected HTML elements or attributes
  • Corruption of the HTML structure
  • Cross-site scripting (XSS) when combined with unsafe usage patterns

This issue only affects applications that construct JSX tag names from untrusted input. Applications using static or allowlisted tag names are not affected.

AnalysisAI

HTML injection via unvalidated JSX tag names in hono allows attackers to inject arbitrary HTML elements and attributes when untrusted input is used as tag names during server-side rendering. The vulnerability affects hono versions prior to 4.12.16 when the jsx() or createElement() APIs process attacker-controlled tag names, potentially enabling XSS attacks. User interaction (rendering untrusted content) is required, and the issue is limited to applications that dynamically construct tag names from external sources rather than using static or allowlisted tags.

Technical ContextAI

hono is a lightweight web framework for JavaScript/TypeScript with built-in JSX support for server-side rendering. The vulnerability exists in the JSX-to-HTML transpilation layer (CWE-74: Improper Neutralization of Special Elements used in an Output). While attribute values and names undergo escaping and validation during HTML generation, tag names themselves were directly concatenated into the output HTML without sanitization. When a tag name contains metacharacters like angle brackets, quotes, or whitespace, it can alter the HTML document structure by prematurely closing tags or injecting new elements. The issue is specific to programmatic APIs (jsx() and createElement()) that accept dynamic tag names, not to JSX syntax parsing itself.

RemediationAI

Upgrade hono to version 4.12.16 or later immediately. Users can verify their installed version with npm list hono or check package-lock.json. If immediate upgrade is blocked, implement input validation by maintaining an allowlist of permitted tag names before passing them to jsx() or createElement() APIs-explicitly reject any dynamic tag name that is not in a predefined set of safe HTML elements (e.g., only permit 'div', 'span', 'p', 'a', etc.). Alternatively, refactor code to use static JSX syntax rather than programmatic APIs when rendering user-influenced content. Review application code for instances where tag names originate from query parameters, database fields, user input, or external APIs, and replace with static tags or strict validation. These workarounds have a functional trade-off: they reduce flexibility but eliminate the injection vector.

Share

CVE-2026-44455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy