Intel

AIKIDO-2026-668178

hono is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)GHSA-w62v-xxxg-mg59 Published Jun 24, 2026

61

Medium Risk

This Affects:

JShono
4.0.0 - 4.12.26
Fixed in 4.12.27
Are you affected? Scan for Free

TL;DR

The cx() utility in hono/css composes class names from plain strings but marks the result as already-escaped without HTML-escaping the input. When the composed value is used as a JSX class attribute during server-side rendering, the normal attribute escaping is skipped, so characters such as " pass through unescaped. Untrusted input passed as a class name can break out of the class attribute and inject arbitrary markup, resulting in server-side Cross-Site Scripting. The fix escapes the composed class name before it is emitted into the attribute.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application renders JSX server-side and passes untrusted input as a class name to cx() from hono/css.

Background info

hono is vulnerable to Cross-Site Scripting (XSS) in versions 4.0.0 - 4.12.26.

How to fix this

Upgrade the hono library to the patch version.