CVE-2026-44455

Summary: CVE-2026-44455 affects hono/jsx in the Hono web framework. Prior to version 4.12.16, unvalidated JSX tag names used via programmatic jsx() or createElement() during server-side rendering could be inserted into HTML output, allowing untrusted input to break element context and inject unin...

CVE-2026-44455 Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the...

CVE-2026-44455 Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the...

CVE-2026-44455

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the...

MAL-2026-3483 Malicious code in @tanstack/solid-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8693692b7ab31b63eb7411750d5b8798beec7ab29dddc1adea60186d354f4ed8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3467 Malicious code in @tanstack/react-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6c8db33bfb3bf19b736238a7e0895ecfd856e38c6e86d83f6eee8df6f5c13730 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

birdclaw (>=0.1.0 <=0.6.0), livemark (>=0.0.0-dev <=0.23.0) potentially affected by CVE-2026-45321 via @tanstack/react-router-ssr-query (>=1.166.10 <=1.166.12)

@tanstack/react-router-ssr-query NPM version =1.166.10, =0.1.0, =0.0.0-dev, =0.23.0 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKREACTROUTERSSRQUERY-16640207...

Hono has CSS Declaration Injection via Style Object Values in JSX SSR

Summary The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript executio...

GHSA-QP7P-654G-CW7P Hono has CSS Declaration Injection via Style Object Values in JSX SSR

Summary The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript executio...

CVE-2026-41423

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper...

EUVD-2026-28552

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper...

CVE-2026-41423

Summary: CVE-2026-41423 corresponds to an SSRF vulnerability in @angular/platform-server during SSR, where URL handling can cause the server to treat the attacker’s domain as the local origin. This occurs when a crafted request (e.g., GET /evil.com/ HTTP/1.1) is passed to Angular’s rendering func...

CVE-2026-41423 Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper...

GHSA-69XW-7HCM-H432 hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection

Summary Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx or createElement APIs during server-side rendering, specially crafted values may...

hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection

Summary Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx or createElement APIs during server-side rendering, specially crafted values may...

@cosla/sensemaking-web-ui (>=1.0.5 <=1.0.8), @manniwatch/client-desktop (>=0.30.0 <=0.30.1) +3 more potentially affected by CVE-2026-44437 via @angular/ssr (>=19.0.5 <=19.2.19)

@angular/ssr NPM version =19.0.5, =1.0.5, =0.30.0, =0.30.0, =19.0.0-alpha.20, =19.0.0-alpha.20, =19.0.0-alpha.24 Source cves: CVE-2026-44437 Source advisory: OSV:GHSA-69XR-M8H6-H664...

@hmcts/ccd-case-ui-toolkit (>=7.3.49-4369 <=7.3.51), @hmcts/media-viewer (>=4.2.16-4435 <=4.2.17-exui-4369-cve-fix-01) potentially affected by CVE-2026-44437 via @angular/ssr (>=20.3.18 <=20.3.24)

@angular/ssr NPM version =20.3.18, =7.3.49-4369, =4.2.16-4435, =4.2.17-exui-4369-cve-fix-01 Source cves: CVE-2026-44437 Source advisory: OSV:GHSA-69XR-M8H6-H664...

@docgeni/angular (=21.0.1), @jamelyassin/shadcn-angular (>=1.0.3 <=1.0.4) +15 more potentially affected by CVE-2026-44437 via @angular/ssr (>=21.1.2 <=21.2.7)

@angular/ssr NPM version =21.1.2, =1.0.3, =1.1.0, =2.0.0, =1.0.0, =0.0.2, =0.5.0, =0.1.2, =1.0.0, =0.0.2, =0.0.3-beta.1 and more Source cves: CVE-2026-44437 Source advisory: SNYK:JS-ANGULARSSR-16438975...

GHSA-R27J-894H-3W3P mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`

Summary icu-minify's runtime formatter resolves select branches by looking up the runtime value as a plain property on a prototype-bearing object. When the value coerces to a key that exists on Object.prototype e.g. toString, proto, constructor, hasOwnProperty, valueOf, the lookup returns a truth...

PT-2026-38318

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.16 Description Improper handling of JSX element tag names in hono/jsx allows unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the...