CVE-2026-56761 | hono before 4.12.14 contains an html injection vulnerability… | CVSS 4.3 MEDIUM

Description

hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially crafted attribute keys containing characters like quotes or angle brackets to break html tag boundaries and inject arbitrary attributes or elements.

Metadata

CVE ID: CVE-2026-56761
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-22 21:55 UTC
Published: 2026-06-24 11:53 UTC
Last updated: 2026-06-24 12:18 UTC
Primary CWE: CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product: hono / hono
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
hono	hono	—	0 < 4.12.14, 4.12.14

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (2)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
4.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (2)

GitHub Security Advisory (GHSA-458j-xx4x-4375) https://github.com/honojs/hono/security/advisories/GHSA-458j-xx4x-4375
VulnCheck Advisory: hono - HTML Injection via Improper JSX Attribute Name Handling in SSR https://www.vulncheck.com/advisories/hono-html-injection-via-improper-jsx-attribute-name-handling-in-ssr