Skip to main content

Hono CVE-2026-56761

| EUVDEUVD-2026-38757 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 VulnCheck
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-delivered, no auth needed (PR:N), but requires victim to load the page (UI:R); scope changes to browser context (S:C) enabling XSS with low C and I impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 12:26 vuln.today
Analysis Generated
Jun 24, 2026 - 12:26 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 32 npm packages depend on hono (29 direct, 3 indirect)

Ecosystem-wide dependent count for version 4.12.14.

DescriptionCVE.org

hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially crafted attribute keys containing characters like quotes or angle brackets to break html tag boundaries and inject arbitrary attributes or elements.

AnalysisAI

HTML injection in Hono's JSX server-side rendering engine (versions before 4.12.14) allows network-accessible attackers to corrupt rendered HTML output by supplying malformed attribute names containing characters such as quotes or angle brackets. Applications that pass untrusted external input - query parameters, form data, or other user-controlled values - directly as JSX attribute keys during SSR are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send HTTP request with crafted attribute key payload
Delivery
Application passes untrusted key to hono/jsx SSR renderer
Exploit
Serializer inserts key verbatim into HTML output
Execution
Malformed characters break HTML tag boundary
Persist
Injected HTML delivered to victim's browser
Impact
Victim loads page triggering injected script execution

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application explicitly passes untrusted external input - such as HTTP query parameters, URL path components, request headers, or form data - as JSX attribute name keys (not values) during server-side rendering in hono/jsx. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (AV:N/AC:L/AT:N/PR:N/UI:P) reflects a moderately impactful vulnerability that is constrained by two significant factors: user interaction (UI:P, meaning a victim must load the injected page) and a prerequisite application-level anti-pattern (passing externally-sourced values as JSX attribute keys). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts an HTTP request to a Hono application that includes a malicious value in a query parameter or form field, which the application code then uses as a JSX attribute key during server-side rendering - for example, rendering `<div {userInput}="value">` where userInput is `class="evil" onclick="alert(1)" x`. Hono's unpatched SSR serializer inserts the key verbatim, producing `<div class="evil" onclick="alert(1)" x="value">` in the HTML response. …
Remediation Upgrade the hono npm package to version 4.12.14 or later, which introduces attribute key validation during JSX-to-HTML serialization (npm install hono@4.12.14 or yarn add hono@4.12.14). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Hono

View all
CVE-2024-48913 MEDIUM POC
5.9 Oct 15

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by

CVE-2024-32869 MEDIUM POC
5.3 Apr 23

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),

CVE-2024-43787 MEDIUM POC
5.0 Aug 22

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),

CVE-2023-50710 MEDIUM POC
4.3 Dec 14

Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita

CVE-2026-27700 HIGH
8.2 Feb 25

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

CVE-2026-22818 HIGH
8.2 Jan 13

Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS

CVE-2026-22817 HIGH
8.2 Jan 13

Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that

CVE-2026-29045 HIGH
7.5 Mar 04

Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew

CVE-2020-27217 HIGH
7.5 Nov 13

In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro

CVE-2025-71381 MEDIUM
6.9 Jun 30

Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh

CVE-2026-56762 MEDIUM
6.9 Jun 23

Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all

CVE-2026-59896 MEDIUM
6.5 Jul 08

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per

Share

CVE-2026-56761 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy