CVE-2026-44458
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
Description
### Summary The JSX renderer escapes `style` attribute object values for HTML but not for CSS. Untrusted input in a `style` object value or property name can therefore inject additional CSS declarations into the rendered `style` attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. ### Details `style` object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as `;`, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property. This issue arises when untrusted input is interpolated into a JSX `style` object and rendered server-side. ### Impact An attacker who can control the value or property name of a `style` object may inject arbitrary CSS declarations. This may lead to: - Visual manipulation of the page, including full-viewport overlays usable for phishing - Outbound requests to attacker-controlled hosts via CSS resource references such as `url(...)` - Hijacking of UI affordances through layout, positioning, or visibility changes This issue affects applications that render JSX on the server with `style` object values or property names derived from untrusted input.
How to fix CVE-2026-44458
To remediate CVE-2026-44458, upgrade the affected package to a fixed version below.
- —upgrade to 4.12.18 or later
Is CVE-2026-44458 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.12.18