CVE-2026-44458

Description

### Summary The JSX renderer escapes `style` attribute object values for HTML but not for CSS. Untrusted input in a `style` object value or property name can therefore inject additional CSS declarations into the rendered `style` attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. ### Details `style` object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as `;`, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property. This issue arises when untrusted input is interpolated into a JSX `style` object and rendered server-side. ### Impact An attacker who can control the value or property name of a `style` object may inject arbitrary CSS declarations. This may lead to: - Visual manipulation of the page, including full-viewport overlays usable for phishing - Outbound requests to attacker-controlled hosts via CSS resource references such as `url(...)` - Hijacking of UI affordances through layout, positioning, or visibility changes This issue affects applications that render JSX on the server with `style` object values or property names derived from untrusted input.

Affected packages (1)

• npm/honofrom 0, < 4.12.18

CVSS scores

References (2)

• PATCHhttps://github.com/honojs/hono
• WEBhttps://github.com/honojs/hono/security/advisories/GHSA-qp7p-654g-cw7p