CVE-2026-59895 in Honoinfo

Summary

by MITRE • 07/08/2026

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class attribute during server-side rendering to break out of the attribute and inject arbitrary markup. This issue is fixed in version 4.12.27.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability affects the Hono web application framework version 4.0.0 through 4.12.26 where the cx() function in hono/css module improperly handles class name composition during server-side rendering. The flaw stems from a critical misimplementation in how the function processes input class names, specifically failing to properly escape HTML characters in user-provided class attributes before marking them as safe. When developers use JSX class attributes with dynamic or untrusted className values, the cx() function blindly concatenates these strings without adequate sanitization, creating a path for malicious input to break out of the intended attribute context and inject arbitrary HTML markup into the rendered output.

The technical implementation issue resides in the CSS class composition logic where the function assumes that inputs are already escaped but fails to perform actual HTML escaping on the plain string values. This creates a classic cross-site scripting vulnerability during server-side rendering operations, as demonstrated by CWE-79 which specifically addresses Cross-Site Scripting flaws. The vulnerability operates at the intersection of client-side and server-side rendering contexts where untrusted data flows through the framework's CSS handling mechanism without proper sanitization, allowing attackers to inject malicious markup that gets executed when the rendered HTML is delivered to clients.

The operational impact of this vulnerability extends beyond simple XSS attacks as it can enable more sophisticated exploitation techniques including session hijacking, credential theft, and arbitrary code execution within the context of the vulnerable application. Attackers can leverage this flaw by providing malicious class names containing script tags or other HTML elements that will be rendered directly into the page output. This issue particularly affects applications using server-side rendering with dynamic class name generation, where user-provided data flows through the framework's CSS composition layer without proper validation. The vulnerability demonstrates a failure in the principle of least privilege and input sanitization, allowing untrusted data to bypass security controls during HTML generation.

Mitigation strategies should focus on upgrading to version 4.12.27 or later where the fix has been implemented to properly escape all input strings before marking them as safe for HTML inclusion. Organizations should also implement comprehensive input validation and sanitization at multiple layers of their applications, particularly when dealing with dynamic class name generation in server-side rendering contexts. Security teams should conduct thorough code reviews focusing on any custom implementations that handle CSS class names or similar attribute composition functions to ensure proper escaping mechanisms are in place. Additional protective measures include implementing content security policies to limit the execution of injected scripts, monitoring for suspicious class name patterns in application logs, and establishing automated testing procedures that specifically target HTML injection vulnerabilities in rendering components. The fix addresses the underlying issue by ensuring all input strings undergo proper HTML escaping regardless of their source or expected safety level, aligning with ATT&CK technique T1203 which focuses on exploitation of web application vulnerabilities through improper input handling.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!