CVE-2026-24771: Hono vulnerable to XSS through ErrorBoundary component

January 28, 2026

A Cross-Site Scripting (XSS) vulnerability exists in the ErrorBoundary component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim’s browser.

References

github.com/advisories/GHSA-9r54-q6cx-xmh5
github.com/honojs/hono
github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990
github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
nvd.nist.gov/vuln/detail/CVE-2026-24771

Code Behaviors & Features

Detect and mitigate CVE-2026-24771 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →