Summary
Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output.
When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML.
Details
When rendering JSX elements to HTML strings, attribute values are escaped and attribute names are validated. However, element tag names were previously inserted into the output without validation.
If a tag name contains characters such as <, >, quotes, or whitespace, it may alter the structure of the generated HTML.
For example, malformed tag names can:
- Break out of the intended element and introduce unintended HTML elements
- Inject attributes or event handlers into the rendered output
This issue arises when untrusted input (such as query parameters or database content) is used as JSX tag names via jsx() or createElement() during server-side rendering.
Impact
An attacker who can control tag names used in JSX rendering may inject unintended HTML into the generated output.
This may lead to:
- Injection of unexpected HTML elements or attributes
- Corruption of the HTML structure
- Cross-site scripting (XSS) when combined with unsafe usage patterns
This issue only affects applications that construct JSX tag names from untrusted input. Applications using static or allowlisted tag names are not affected.
CVE-2026-44455 has a CVSS score of 4.7 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.12.16); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-44455? CVE-2026-44455 is a medium-severity security vulnerability in hono (npm), affecting versions < 4.12.16. It is fixed in 4.12.16.
- How severe is CVE-2026-44455? CVE-2026-44455 has a CVSS score of 4.7 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of hono are affected by CVE-2026-44455? hono (npm) versions < 4.12.16 is affected.
- Is there a fix for CVE-2026-44455? Yes. CVE-2026-44455 is fixed in 4.12.16. Upgrade to this version or later.
- Is CVE-2026-44455 exploitable, and should I be worried? Whether CVE-2026-44455 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44455 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44455? Upgrade
honoto 4.12.16 or later.