CVE-2026-44458

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.18

Description The JSX renderer escapes style attribute object values for HTML but not for CSS. When untrusted input is interpolated into a JSX style object and rendered server-side, characters that act as CSS declaration boundaries—such as ;, comment markers, quoted strings, and block delimiters—can be used to inject additional CSS declarations into the rendered style attribute. This allows an attacker to control the value or property name of a style object, potentially leading to visual page manipulation (including full-viewport overlays for phishing), outbound requests to attacker-controlled hosts via CSS resource references like url(...), and hijacking of UI affordances through layout, positioning, or visibility changes. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.

Recommendations Update to version 4.12.18.