CVE-2026-59895
Hono (server-side JS framework) contains a CS/XSS flaw in cx() within hono/css: class name construction concatenates strings and marks the result as pre-escaped, bypassing HTML escaping. This allows untrusted className values used in a JSX class attribute during server-side rendering to break out...