CVE-2026-59895
Received Received - Intake

Cross-Site Scripting in Hono Framework via Unescaped CSS Class Names

Vulnerability report for CVE-2026-59895, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class attribute during server-side rendering to break out of the attribute and inject arbitrary markup. This issue is fixed in version 4.12.27.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
honojs hono to 4.12.27 (exc)
honojs hono 4.12.27

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Hono web framework versions 4.0.0 to before 4.12.27, specifically in the cx() function used to compose CSS class names in JSX during server-side rendering. The function incorrectly treats composed class names as already escaped, which means it does not properly HTML-escape untrusted input. This flaw allows an attacker to inject arbitrary markup by breaking out of the class attribute, leading to a server-side Cross-Site Scripting (XSS) vulnerability.

Impact Analysis

If exploited, this vulnerability can allow an attacker to execute arbitrary scripts in the context of a victim's browser. This can lead to session hijacking, credential theft, or other malicious actions performed on behalf of the user. The attack requires that untrusted input is passed to the cx() function as a class name during server-side JSX rendering.

Detection Guidance

This vulnerability involves server-side rendering in the Hono framework versions 4.0.0 to before 4.12.27, where untrusted input passed to the cx() function can lead to Cross-Site Scripting (XSS). Detection involves identifying if your system is running a vulnerable version of Hono and if untrusted input is passed to cx() in JSX class attributes.

To detect the vulnerability on your system, you can check the installed version of the Hono framework. For example, if you use npm, run:

  • npm list hono

If the version is between 4.0.0 and 4.12.26 inclusive, your system is vulnerable.

Additionally, you can search your codebase for usage of the cx() function with potentially untrusted input in JSX class attributes. For example, using grep or similar tools:

  • grep -r "cx(" ./src

To detect exploitation attempts on your network, monitor HTTP requests for suspicious payloads that attempt to inject markup via class attributes, especially those containing characters like <, {, }, or quotes that could break out of attributes.

Mitigation Strategies

The primary mitigation step is to upgrade the Hono framework to version 4.12.27 or later, where the vulnerability is fixed.

The fix includes validation and sanitization of class names passed to cx(), filtering out unsafe characters, and properly escaping special characters to prevent attribute injection and XSS.

If immediate upgrade is not possible, ensure that untrusted input is never passed directly to the cx() function or used in JSX class attributes without proper sanitization or escaping.

Review your code to avoid passing user-controlled data to class name composition functions and implement input validation to block unsafe characters such as <, {, }, and quotes.

Compliance Impact

The vulnerability in the Hono framework allows server-side Cross-Site Scripting (XSS) attacks by improperly escaping untrusted input in CSS class names during server-side rendering. This can lead to arbitrary script execution, session hijacking, or credential theft in a victim's browser.

Such security flaws can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information. Exploitation of this vulnerability could lead to unauthorized access or disclosure of sensitive data, thereby violating these regulations' requirements for data confidentiality and integrity.

Therefore, organizations using affected versions of Hono must apply the security fix (version 4.12.27 or later) to mitigate risks that could lead to non-compliance with these common standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59895. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart