JavaScript Framework Vulnerability in Hono affecting Multiple Versions
CVE-2026-59895

6.1MEDIUM

Key Information:

Vendor

Honojs

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59895?

The Hono web application framework, which supports various JavaScript runtimes, has a vulnerability that allows for markup injection through improperly handled class names. In versions prior to 4.12.27, the cx() function in hono/css incorrectly marks class names as escaped without performing proper HTML escaping on the input. This oversight permits untrusted values in JSX class attributes to escape the attribute context and inject malicious markup, potentially leading to significant security risks during server-side rendering.

Affected Version(s)

hono >= 4.0.0, < 4.12.27

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.