{"id":"CVE-2026-59895","summary":"Hono: Server-Side XSS via JSX Escaping Bypass in cx() Utility","details":"Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx() in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class attribute during server-side rendering to break out of the attribute and inject arbitrary markup. This issue is fixed in version 4.12.27.","aliases":["GHSA-w62v-xxxg-mg59"],"modified":"2026-07-15T01:49:05.832278621Z","published":"2026-07-08T16:09:51.273Z","database_specific":{"cwe_ids":["CWE-116","CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59895.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/honojs/hono/releases/tag/v4.12.27"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59895.json"},{"type":"ADVISORY","url":"https://github.com/honojs/hono/security/advisories/GHSA-w62v-xxxg-mg59"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59895"},{"type":"FIX","url":"https://github.com/honojs/hono/commit/cd3f6f7194f0e5c9d4b26ae0cf232018d0f388fc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/honojs/hono","events":[{"introduced":"ca6f36511094522b84b6575d99bde4728bcea87c"},{"fixed":"97c6fe1f12298c715eb7b2da65b4b6e0d81682bb"},{"fixed":"cd3f6f7194f0e5c9d4b26ae0cf232018d0f388fc"}],"database_specific":{"extracted_events":[{"introduced":"4.0.0"},{"fixed":"4.12.27"}],"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*"}}],"versions":["v4.12.26","v4.12.25","v4.12.24","v4.12.23","v4.12.22","v4.12.21","v4.12.20","v4.12.19","v4.12.18","v4.12.17","v4.12.16","v4.12.15","v4.12.14","v4.12.13","v4.12.12","v4.12.11","v4.12.10","v4.12.9","v4.12.8","v4.12.7","v4.12.6","v4.12.5","v4.12.4","v4.12.3","v4.12.2","v4.12.1","v4.12.0","v4.11.10","v4.11.9","v4.11.8","v4.11.7","v4.11.6","v4.11.5","v4.11.4","v4.11.3","v4.11.2","v4.11.1","v4.11.0","v4.10.8","v4.10.7","v4.10.6","v4.10.5","v4.10.4","v4.10.3","v4.10.2","v4.10.1","v4.10.0","v4.9.12","v4.9.11","v4.9.10","v4.9.9","v4.9.8","v4.9.7","v4.9.6","v4.9.5","v4.9.4","v4.9.3","v4.9.2","v4.9.1","v4.9.0","v4.8.12","v4.8.11","v4.8.10","v4.8.9","v4.8.8","v4.8.7","v4.8.6","v4.8.5","v4.8.4","v4.8.3","v4.8.2","v4.8.1","v4.8.0","v4.7.11","v4.7.10","v4.7.9","v4.7.8","v4.7.7","v4.7.6","v4.7.5","v4.7.4","v4.7.3","v4.7.2","v4.7.1","v4.7.0","v4.6.20","v4.6.19","v4.6.18","v4.6.17","v4.6.16","v4.6.15","v4.6.14","v4.6.13","v4.6.12","v4.6.11","v4.6.10","v4.6.9","v4.6.8","v4.6.7","v4.6.6","v4.6.5","v4.6.4","v4.6.3","v4.6.2","v4.6.1","v4.6.0","v4.5.11","v4.5.10","v4.5.9","v4.5.8","v4.5.7","v4.5.6","v4.5.5","v4.5.4","v4.5.3","v4.5.2","v4.5.1","v4.5.0","v4.4.13","v4.4.12","v4.4.11","v4.4.10","v4.5.0-rc.2","v4.4.9","v4.4.8","v4.4.7","v4.4.6","v4.5.0-rc.1","v4.4.5","v4.4.4","v4.4.3","v4.4.2","v4.4.1","v4.4.0","v4.3.11","v4.3.10","v4.3.9","v4.3.8","v4.3.7","v4.3.6","v4.3.5","v4.3.4","v4.3.3","v4.3.2","v4.3.1","v4.3.0","v4.2.9","v4.2.8","v4.2.7","v4.2.6","v4.2.5","v4.2.4","v4.2.3","v4.2.2","v4.2.1","v4.2.0","v4.1.7","v4.1.6","v4.1.5","v4.1.4","v4.1.3","v4.1.2","v4.1.1","v4.1.0","v4.0.10","v4.1.0-rc.1","v4.0.9","v4.0.8","v4.0.7","v4.0.6","v4.0.5","v4.0.4","v4.0.3","v4.0.2","v4.0.1","v4.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59895.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}