CVE-2026-44458: Hono has CSS Declaration Injection via Style Object Values in JSX SSR

May 9, 2026

The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout.

References

github.com/advisories/GHSA-qp7p-654g-cw7p
github.com/honojs/hono
github.com/honojs/hono/security/advisories/GHSA-qp7p-654g-cw7p
nvd.nist.gov/vuln/detail/CVE-2026-44458

Code Behaviors & Features

Detect and mitigate CVE-2026-44458 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →