Primary

Context

Hono Web Framework Unvalidated JSX Tag Name Vulnerability Allowing HTML Injection

Vulnerability

Patched

A vulnerability in the Hono web application framework, affecting versions prior to 4.12.16, allows for improper handling of JSX element tag names. Unvalidated tag names could be inserted directly into the generated HTML during server-side rendering, potentially breaking out of the intended element context and injecting unintended HTML. This issue arises when untrusted input is used as a tag name through the programmatic jsx() or createElement() APIs.

Impact

Exploitation of this vulnerability could lead to injection of unexpected HTML elements or attributes, corruption of the HTML structure, or cross-site scripting (XSS) vulnerabilities, particularly when combined with unsafe usage patterns.

Remediation

Users can upgrade to Hono version 4.12.16 or later to address this vulnerability.

Added: May 13, 2026, 5:22 PM

Updated: May 13, 2026, 5:22 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

6.8

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

6.8

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hono Web Framework Unvalidated JSX Tag Name Vulnerability Allowing HTML Injection

Vulnerability

Impact

Remediation

Affected Products

Hono

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating