CVE-2026-44455
Severity CVSS v4.0:
Pending analysis
Type:
CWE-74
Injection
Publication date:
13/05/2026
Last modified:
13/05/2026
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16.
Impact
Base Score 3.x
4.70
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:* | 4.12.16 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



