CVE-2026-56761
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
An HTML injection vulnerability in the Hono library before version 4.12.14 allows attackers to inject unintended HTML by using malformed attribute names during server-side JSX rendering. Specially crafted attribute keys containing characters like quotes or angle brackets can break HTML tag boundaries and inject arbitrary attributes or elements.
Risk Assessment
The risk involves the possibility of injecting malicious HTML, which can lead to cross-site scripting (XSS) attacks or website defacement, potentially resulting in user data theft or session hijacking.
Recommendation
Immediately update the Hono library to version 4.12.14 or later, which includes a fix for this vulnerability. If an update is not possible, thoroughly validate and sanitize all attribute names before using them in JSX rendering.
Original NVD description (English source)
hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially crafted attribute keys containing characters like quotes or angle brackets to break html tag boundaries and inject arbitrary attributes or elements.

