Lucene search
+L

168 matches found

NVD
NVD
added 2026/05/13 4:16 p.m.16 views

CVE-2026-44458

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into t...

4.3CVSS0.00197EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/13 3:1 p.m.64 views

CVE-2026-44458 Hono: CSS Declaration Injection via Style Object Values in JSX SSR

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into t...

4.3CVSS0.00197EPSS
Exploits0References1
CVE
CVE
added 2026/05/13 2:57 p.m.36 views

CVE-2026-44455

Summary: CVE-2026-44455 affects hono/jsx in the Hono web framework. Prior to version 4.12.16, unvalidated JSX tag names used via programmatic jsx() or createElement() during server-side rendering could be inserted into HTML output, allowing untrusted input to break element context and inject unin...

6.1CVSS5.8AI score0.0014EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/05/13 2:57 p.m.3 views

CVE-2026-44455 Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the...

4.7CVSS5.9AI score0.0014EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.9 views

Hono 注入漏洞

Hono is a web framework written in TypeScript for the Hono community. Versions of Hono prior to 4.12.18 had an injection vulnerability. This vulnerability stemmed from the JSX renderer’s tendency to escape HTML values of style property objects without escaping them with CSS. As a result, unexpect...

4.3CVSS5.8AI score0.00197EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.9 views

Hono 注入漏洞

Hono is a web framework written in TypeScript for the Hono community. Versions of Hono prior to 4.12.16 had an injection vulnerability. This vulnerability stemmed from improper handling of JSX element tag names in hono/jsx, allowing unvalidated tag names to be directly inserted into the generated...

6.1CVSS5.8AI score0.0014EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/05/09 12:46 a.m.11 views

NPM: Hono has CSS Declaration Injection via Style Object Values in JSX SSR

NPM: Hono has CSS Declaration Injection via Style Object Values in JSX SSR vulnerability discovered by ? in WordPress Npm hono versions 4.12.18...

4.3CVSS5.8AI score0.00197EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/09 12:46 a.m.70 views

GHSA-QP7P-654G-CW7P Hono has CSS Declaration Injection via Style Object Values in JSX SSR

Summary The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript executio...

4.3CVSS6AI score0.00197EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/09 12:46 a.m.14 views

Hono has CSS Declaration Injection via Style Object Values in JSX SSR

Summary The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript executio...

4.3CVSS6AI score0.00197EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:49 p.m.11 views

hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection

Summary Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx or createElement APIs during server-side rendering, specially crafted values may...

6.1CVSS5.7AI score0.0014EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.15 views

PT-2026-38318

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.16 Description Improper handling of JSX element tag names in hono/jsx allows unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the...

6.1CVSS5.8AI score0.0014EPSS
Exploits0References170
Snyk
Snyk
added 2026/05/04 1:20 a.m.8 views

Malicious Package

Overview forge-jsx is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
OSV
OSV
added 2026/04/16 1:2 a.m.4 views

GHSA-458J-XX4X-4375 hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR

Summary Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output. When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries and inject unintended...

4.3CVSS5.7AI score0.00174EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/16 1:2 a.m.17 views

hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR

Summary Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output. When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries and inject unintended...

5.3CVSS5.7AI score0.00174EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/15 6:37 p.m.9 views

MAL-2026-2884 Malicious code in forge-jsx (npm)

forge-jsx is a malicious npm package that impersonates an Autodesk Forge SDK. It was published as a fully-formed RAT from its first version on April 7, 2026. Installing the package on any non-CI machine deploys a persistent background agent that captures all keystrokes, monitors clipboard content...

5.9AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/03/16 12:0 a.m.9 views

Malicious code in transform-react-jsx (npm)

The package 'transform-react-jsx' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

5.5AI score
Exploits0References3
OSV
OSV
added 2026/03/16 12:0 a.m.8 views

MAL-2026-1508 Malicious code in transform-react-jsx (npm)

The package 'transform-react-jsx' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

5.6AI score
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/25 2:38 a.m.2 views

CVE-2026-27612 Repostat Vulnerable to Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard

Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the RepoCard component is vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability occurs because the component uses React's dangerouslySetInnerHTML to render the repository name repo pro...

6.1CVSS5.8AI score0.00196EPSS
Exploits1References2
OSV
OSV
added 2026/02/25 2:38 a.m.9 views

CVE-2026-27612 Repostat Vulnerable to Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard

Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the RepoCard component is vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability occurs because the component uses React's dangerouslySetInnerHTML to render the repository name repo pro...

6.1CVSS6AI score0.00196EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/02/12 12:0 a.m.8 views

PT-2026-7809

Name of the Vulnerable Software and Affected Versions next-mdx-remote versions 4.3.0 through 5.0.0 Description The serialize function within next-mdx-remote is susceptible to arbitrary code execution because of inadequate sanitization of MDX content. This allows untrusted MDX to execute JavaScrip...

8.8CVSS6.2AI score0.00582EPSS
Exploits0References10
Rows per page
Query Builder