JavaScript Framework Vulnerability in Hono affecting Multiple Versions
CVE-2026-59895
6.1MEDIUM
What is CVE-2026-59895?
The Hono web application framework, which supports various JavaScript runtimes, has a vulnerability that allows for markup injection through improperly handled class names. In versions prior to 4.12.27, the cx() function in hono/css incorrectly marks class names as escaped without performing proper HTML escaping on the input. This oversight permits untrusted values in JSX class attributes to escape the attribute context and inject malicious markup, potentially leading to significant security risks during server-side rendering.
Affected Version(s)
hono >= 4.0.0, < 4.12.27
