Medium severity4.3GHSA Advisory· Published May 13, 2026· Updated May 13, 2026

CVE-2026-44458

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
hononpm	< 4.12.18	4.12.18

Affected products

Honojs/HonoGHSA
Range: < 4.12.18
Hono/Hono
cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*
Range: <4.12.18

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-qp7p-654g-cw7pghsaADVISORY
github.com/honojs/hono/security/advisories/GHSA-qp7p-654g-cw7pnvdVendor AdvisoryWEB

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000