CVE-2026-56761

EUVD-2026-38757
hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially crafted attribute keys containing characters like quotes or angle brackets to break html tag boundaries and inject arbitrary attributes or elements.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
VulnCheckCNA
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
honohono
𝑥
< 4.12.14
CNA
Common Weakness Enumeration
References
https://github.com/honojs/hono/security/advisories/GHSA-458j-xx4x-4375
https://www.vulncheck.com/advisories/hono-html-injection-via-improper-jsx-attribute-name-handling-in-ssr