Primary

Context

Hono JSX Renderer CSS Injection Vulnerability

Vulnerability

Patched

A vulnerability in the Hono web application framework, prior to version 4.12.18, allows for the injection of arbitrary CSS declarations into rendered style attributes. This issue arises because the JSX renderer escapes style object values for HTML but not for CSS. As a result, untrusted input in a style object value or property name can exploit this discrepancy. The vulnerability is limited to CSS injection and does not permit JavaScript execution or HTML attribute breakout.

Impact

Exploitation of this vulnerability could lead to unauthorized CSS injection, allowing for visual manipulation of the page, such as creating full-viewport overlays for phishing. It could also enable outbound requests to attacker-controlled hosts via CSS resource references, or hijack UI elements through changes in layout, positioning, or visibility.

Remediation

Users are advised to update to Hono version 4.12.18 or later.

Added: May 13, 2026, 5:20 PM

Updated: May 13, 2026, 5:20 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

1.0

exploitability

6.5

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

1.0

exploitability

6.5

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hono JSX Renderer CSS Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Hono

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating