CVE-2026-24771

medium

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue.

References

https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5

https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990

Details

Source: Mitre, NVD

Published: 2026-01-27

Updated: 2026-01-27

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.7

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00036