Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-1mzm-bnvy-1ugp
Vulnerability ID VCID-1mzm-bnvy-1ugp
Aliases CVE-2026-24771
GHSA-9r54-q6cx-xmh5
Summary Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00069 https://api.first.org/data/v1/epss?cve=CVE-2026-24771
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-9r54-q6cx-xmh5
cvssv3.1 4.7 https://github.com/honojs/hono
generic_textual MODERATE https://github.com/honojs/hono
cvssv3.1 4.7 https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990
generic_textual MODERATE https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990
ssvc Track https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990
cvssv3.1 4.7 https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
cvssv3.1_qr MODERATE https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
generic_textual MODERATE https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
ssvc Track https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
cvssv3.1 4.7 https://nvd.nist.gov/vuln/detail/CVE-2026-24771
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-24771
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-24771
https://github.com/honojs/hono
2cf60046d730df9fd0aba85178f3ecfe8212d990 https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990
CVE-2026-24771 https://nvd.nist.gov/vuln/detail/CVE-2026-24771
GHSA-9r54-q6cx-xmh5 https://github.com/advisories/GHSA-9r54-q6cx-xmh5
GHSA-9r54-q6cx-xmh5 https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/honojs/hono
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T20:36:05Z/ Found at https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T20:36:05Z/ Found at https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-24771
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.21264
EPSS Score 0.00069
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:52:32.082172+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/24xxx/CVE-2026-24771.json 38.6.0