CVE-2026-44455

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.16

Description Improper handling of JSX element tag names in hono/jsx allows unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() functions during server-side rendering, specially crafted values can break out of the intended element context and inject unintended HTML. While attribute values are escaped and attribute names are validated, element tag names were inserted without validation. If a tag name contains characters such as <, >, quotes, or whitespace, it may alter the HTML structure, introduce unexpected elements, or inject attributes and event handlers. This can lead to corruption of the HTML structure or Cross-site scripting (XSS), which is a technique where malicious scripts are injected into otherwise trusted websites.

Recommendations Update to version 4.12.16. As a temporary workaround, avoid using untrusted input as tag names in the jsx() or createElement() functions.