Moderate severityOSV Advisory· Published Jan 27, 2026· Updated Jan 27, 2026
Hono has a Cross-site Scripting vulnerability
CVE-2026-24771
Description
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the ErrorBoundary component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hononpm | < 4.11.7 | 4.11.7 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/honopkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/wolfi/langfuse-3-workerpkg:npm/hono
< 0+ 5 more
- (no CPE)range: < 0
- (no CPE)range: < 3.153.0-r0
- (no CPE)range: < 3.152.0-r0
- (no CPE)range: < 0.8.2-r1
- (no CPE)range: < 3.153.0-r0
- (no CPE)range: < 4.11.7
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-9r54-q6cx-xmh5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24771ghsaADVISORY
- github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990ghsax_refsource_MISCWEB
- github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.