CVE-2026-56761

MEDIUM

hono - HTML Injection via Improper JSX Attribute Name Handling in SSR

Title source: cna
STIX 2.1

Description

hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially crafted attribute keys containing characters like quotes or angle brackets to break html tag boundaries and inject arbitrary attributes or elements.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-458j-xx4x-4375)
https://github.com/honojs/hono/security/advisories/GHSA-458j-xx4x-4375
Third Party Advisory third-party-advisory
VulnCheck Advisory: hono - HTML Injection via Improper JSX Attribute Name Handling in SSR
https://www.vulncheck.com/advisories/hono-html-injection-via-improper-jsx-attribute-name-handling-in-ssr

Scores

CVSS v3 4.3
EPSS 0.0017
EPSS Percentile 7.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
hono/hono < 4.12.14 (2 CPE variants)
hono/hono 4.12.14
npm/hono 0 - 4.12.14npm
Published Jun 24, 2026
Tracked Since Jun 24, 2026