CVE-2026-41305Cross-site Scripting in Postcss

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 91.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
67
Postcss3scale-amp2 System-rhel73scale-amp2 System-rhel8+64 more
Timeline
PublishedApr 24

Description

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `` tags, `` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages69 packages

CVEListV5postcss/postcss< 8.5.10
npmpostcss/postcss< 8.5.10
Red Hatpostcss/postcss
Red Hatrust-lang/rust
Red Hatclusterlabs/pcs

🔴Vulnerability Details

1
GHSA
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output2026-04-24

📋Vendor Advisories

1
Red Hat
postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags2026-04-24