Improper Input Validation in Hono Web Application Framework
CVE-2026-44455

4.7MEDIUM

Key Information:

Vendor: Honojs
Status: Hono
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44455?

The Hono Web Application Framework has a vulnerability where improper handling of JSX element tag names before version 4.12.16 allows unvalidated names to be inserted into HTML. This issue can lead to injection of unintended HTML when untrusted input is processed through the jsx() or createElement() APIs during server-side rendering. Such attacks can disrupt the intended HTML structure, potentially compromising the integrity of the application and exposing it to further risks.

Affected Version(s)

hono < 4.12.16

References

https://github.com/honojs/hono/security/advisories/GHSA-6...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44455 Data

JSON

Honojs

What is CVE-2026-44455?

Affected Version(s)

References

CVSS V3.1

Timeline