CVE-2026-24771

{"id": "CVE-2026-24771", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.6}]}, "published": "2026-01-27T20:16:24.337", "references": [{"url": "https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim's browser. Version 4.11.7 patches the issue."}, {"lang": "es", "value": "Hono es un framework de aplicaci\u00f3n web que proporciona soporte para cualquier tiempo de ejecuci\u00f3n de JavaScript. Antes de la versi\u00f3n 4.11.7, existe una vulnerabilidad de Cross-Site Scripting (XSS) en el componente `ErrorBoundary` de la librer\u00eda hono/jsx. Bajo ciertos patrones de uso, las cadenas no confiables controladas por el usuario pueden ser renderizadas como HTML sin procesar, permitiendo la ejecuci\u00f3n arbitraria de scripts en el navegador de la v\u00edctima. La versi\u00f3n 4.11.7 corrige el problema."}], "lastModified": "2026-02-04T15:28:20.403", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D0406A9F-E15B-452E-940A-ABF25EEAA871", "versionEndExcluding": "4.11.7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}