CVE Catalog

CVE-2026-56761

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

An HTML injection vulnerability in the Hono library before version 4.12.14 allows attackers to inject unintended HTML by using malformed attribute names during server-side JSX rendering. Specially crafted attribute keys containing characters like quotes or angle brackets can break HTML tag boundaries and inject arbitrary attributes or elements.

Risk Assessment

The risk involves the possibility of injecting malicious HTML, which can lead to cross-site scripting (XSS) attacks or website defacement, potentially resulting in user data theft or session hijacking.

Recommendation

Immediately update the Hono library to version 4.12.14 or later, which includes a fix for this vulnerability. If an update is not possible, thoroughly validate and sanitize all attribute names before using them in JSX rendering.

Original NVD description (English source)

hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially crafted attribute keys containing characters like quotes or angle brackets to break html tag boundaries and inject arbitrary attributes or elements.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS