CVE-2026-56761
Analyzed Analyzed - Analysis Complete

HTML Injection in Hono JSX Server-Side Rendering

Vulnerability report for CVE-2026-56761, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: VulnCheck

Description

hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers can craft specially crafted attribute keys containing characters like quotes or angle brackets to break html tag boundaries and inject arbitrary attributes or elements.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hono hono to 4.12.14 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56761 is an HTML injection vulnerability in the hono library versions before 4.12.14. It occurs during server-side rendering (SSR) of JSX when untrusted input is used as attribute names without proper validation.

Attackers can craft specially malformed attribute keys containing characters like quotes or angle brackets that break HTML tag boundaries, allowing them to inject unintended HTML attributes or elements into the rendered page.

This improper handling of JSX attribute names compromises the integrity of the generated HTML and can potentially lead to further security issues such as cross-site scripting (XSS) if combined with unsafe practices.

Impact Analysis

This vulnerability can impact you by allowing attackers to inject arbitrary HTML into your web pages during server-side rendering.

Such injection can break the structure of your HTML, potentially leading to security issues like cross-site scripting (XSS), which can compromise user data, session integrity, or the overall security of your web application.

Because the vulnerability arises from untrusted input being used as attribute keys without validation, it can be exploited remotely without requiring privileges or user interaction beyond visiting a crafted page.

Detection Guidance

This vulnerability arises from improper handling of JSX attribute names during server-side rendering in hono versions before 4.12.14, allowing HTML injection via malformed attribute keys.

To detect this vulnerability on your system, you should check the version of the hono library in use and inspect server-side rendering code that uses untrusted input as JSX attribute keys.

There are no specific detection commands provided in the available resources. However, general approaches include:

  • Verify the hono package version by running: npm list hono
  • Search your codebase for usage of JSX attribute keys that incorporate untrusted input, for example using grep or similar tools: grep -r 'attribute' ./src
  • Monitor HTTP responses for unexpected or malformed HTML attributes that could indicate injection attempts.
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-56761 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate the CVE-2026-56761 vulnerability, you should upgrade the hono library to version 4.12.14 or later, where the issue with improper handling of JSX attribute names during server-side rendering has been fixed.

Additionally, avoid using untrusted input as JSX attribute keys during server-side rendering to prevent HTML injection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart