Listen to this Post
How CVE-2026-59895 Works
Hono is a lightweight Web application framework that runs on any JavaScript runtime, from Node.js to Cloudflare Workers and Bun. Among its many built‑in helpers, `hono/css` provides a CSS‑in‑JSX experience. The `cx()` function inside this helper is a utility that composes multiple class name strings into a single space‑separated string, similar to the popular `classnames` library. It accepts plain strings, objects, or arrays and returns a combined class name that can be placed directly into a JSX `class` (or className) attribute.
The vulnerability exists because `cx()` marks its output as “already escaped” without actually performing HTML escaping on the input strings. In JSX, when an attribute value is a plain string, the framework’s SSR (server‑side rendering) pipeline typically HTML‑escapes the entire attribute value to prevent injection. However, `cx()` returns a specially flagged string that tells the JSX renderer: “this value is safe, do not escape it again.” Since `cx()` does not escape the individual class name fragments, any untrusted characters—such as double quotes ("), single quotes ('), angle brackets (<, >), or ampersands (&)—pass through untouched.
When an application renders JSX on the server and passes user‑controlled data (e.g., from a query parameter, form input, or database field) into cx(), the resulting string is inserted into the `class` attribute without escaping. An attacker can craft a class string that closes the attribute prematurely and then injects arbitrary HTML markup, including `
