{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24771", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-26T21:06:47.868Z", "datePublished": "2026-01-27T19:41:33.773Z", "dateUpdated": "2026-01-27T20:51:54.145Z"}, "containers": {"cna": {"title": "Hono has a Cross-site Scripting vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5"}, {"name": "https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990"}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"version": "< 4.11.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T19:41:33.773Z"}, "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue."}], "source": {"advisory": "GHSA-9r54-q6cx-xmh5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T20:36:05.327964Z", "id": "CVE-2026-24771", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:51:54.145Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24771", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T20:36:05.327964Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:36:07.623Z"}}], "cna": {"title": "Hono has a Cross-site Scripting vulnerability", "source": {"advisory": "GHSA-9r54-q6cx-xmh5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "honojs", "product": "hono", "versions": [{"status": "affected", "version": "< 4.11.7"}]}], "references": [{"url": "https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5", "name": "https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990", "name": "https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T19:41:33.773Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24771", "state": "PUBLISHED", "dateUpdated": "2026-01-27T20:51:54.145Z", "dateReserved": "2026-01-26T21:06:47.868Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T19:41:33.773Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D0406A9F-E15B-452E-940A-ABF25EEAA871", "versionEndExcluding": "4.11.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue."}], "id": "CVE-2026-24771", "lastModified": "2026-02-04T15:28:20.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-27T20:16:24.337", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:45:04.197171+00:00", "value": {"mitigation_remediation": ["Update Hono to version 4.11.7 or later to eliminate the flawed component", "Ensure that any dynamic content passed to the ErrorBoundary component is properly escaped or sanitized before rendering", "Adopt a defense\u2011in\u2011depth strategy that includes input validation, output encoding, and strict content\u2011security policies to mitigate similar flaws"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011site scripting that can execute arbitrary scripts in the victim\u2019s browser"}, "threat_synthesis": {"affected_systems": "Developers deploying the Hono framework on JavaScript runtimes are affected. The flaw appears in all releases prior to version 4.11.7 of the Hono library. Updating to 4.11.7 or newer removes the vulnerability.", "description_and_impact": "A Cross\u2011Site Scripting flaw exists in the ErrorBoundary component of the Hono JavaScript framework. When certain user\u2011controlled strings reach this component, they can be rendered directly as raw HTML, which allows an attacker to inject and execute arbitrary code in the browser of a victim viewing the page. The flaw permits arbitrary script execution in the victim\u2019s browser when malicious input reaches the component.", "risk_and_exploitability": "The CVSS score of 4.7 indicates moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the field. The flaw is not currently listed in the CISA KEV catalog. Exploitation would likely involve submitting crafted input that reaches the ErrorBoundary component, which then renders it as raw HTML in the client\u2019s browser."}}}}, "created": "2026-01-28T12:22:17.457021+00:00", "updated": "2026-04-18T15:00:03.431696+00:00", "vendors": ["hono", "hono$PRODUCT$hono"]}