Postcss vulnerabilities

CVE-2026-41305 [MEDIUM] CWE-79 CVE-2026-41305: PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rul PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `` tags, `` in CSS values breaks out of the style context, enabl

CVE-2023-44270 [MEDIUM] CWE-74 CVE-2023-44270: An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite bei

CVE-2021-23382 [HIGH] CWE-1333 CVE-2021-23382: The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).

CVE-2021-23368 [MEDIUM] CVE-2021-23368: The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Serv The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.