What is the CVSS score of CVE-2026-44458?

CVE-2026-44458 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-44458?

Yes, a patch is available for CVE-2026-44458. Update the affected software to the latest version immediately.

Hono JSX renderer CVE-2026-44458

MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2026-05-09 https://github.com/honojs/hono

GHSA-qp7p-654g-cw7p

Code Injection

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 09, 2026 - 01:32 vuln.today

Analysis Generated

May 09, 2026 - 01:32 vuln.today

CVE Published

May 09, 2026 - 00:46 nvd

MEDIUM 4.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

23 npm packages depend on hono (22 direct, 1 indirect)

Ecosystem-wide dependent count for version 4.12.18.

DescriptionNVD

Summary

The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.

Details

style object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries - such as ;, comment markers, quoted strings, and block delimiters - are valid in HTML attribute content and can extend a value beyond its assigned property.

This issue arises when untrusted input is interpolated into a JSX style object and rendered server-side.

Impact

An attacker who can control the value or property name of a style object may inject arbitrary CSS declarations. This may lead to:

Visual manipulation of the page, including full-viewport overlays usable for phishing
Outbound requests to attacker-controlled hosts via CSS resource references such as url(...)
Hijacking of UI affordances through layout, positioning, or visibility changes

This issue affects applications that render JSX on the server with style object values or property names derived from untrusted input.

AnalysisAI

CSS declaration injection in Hono's JSX server-side renderer allows remote attackers to inject arbitrary CSS declarations via untrusted style object values or property names, enabling visual manipulation, outbound CSS requests to attacker hosts, and UI hijacking. Affects Hono versions before 4.12.18 when rendering JSX server-side with user-controlled style object inputs. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44458 vulnerability details – vuln.today

Back

Hono JSX renderer CVE-2026-44458

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Summary

Details

Impact

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code