VDB

CVE-2026-24771

CVE-2026-24771 PUBLISHED CVSS 4.699999809265137 MEDIUM

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue.

EPSS 0.07% · 21.2th percentile

Risk Scores

CVSS v3.1
4.699999809265137
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
0.07%
21.2th percentile

Affected Products

VendorProductVersions
npmhono0, 0, 0
honohono0, 0, 0
honojshono*, < 4.11.7, < 4.11.7

Timeline

  • Jan 27, 2026 CVE Published
  • Jan 27, 2026 PoC Published
  • Jan 28, 2026 EPSS Score
  • Jan 29, 2026 PoC Published
  • Jan 29, 2026 Security Advisory
  • Jan 30, 2026 EPSS Score
  • Feb 2, 2026 EPSS Score
  • Feb 4, 2026 EPSS Score
  • Feb 4, 2026 CVE Updated
  • Feb 7, 2026 EPSS Score
  • Feb 9, 2026 EPSS Score
  • Feb 12, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›