Skip to main content

PostCSS CVE-2026-41305

| EUVDEUVD-2026-25383 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-24 GitHub_M GHSA-qx2v-qp2m-jg93
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 24, 2026 - 17:16 nvd
Patch available
Patch available
Apr 24, 2026 - 05:31 EUVD
Analysis Generated
Apr 24, 2026 - 03:31 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 03:00 euvd
EUVD-2026-25383
Analysis Generated
Apr 24, 2026 - 03:00 vuln.today
CVE Published
Apr 24, 2026 - 02:27 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 101 npm packages depend on postcss (27 direct, 74 indirect)

Ecosystem-wide dependent count for version 8.5.10.

DescriptionGitHub Advisory

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.

AnalysisAI

PostCSS versions prior to 8.5.10 fail to escape </style> sequences when stringifying CSS Abstract Syntax Trees, allowing cross-site scripting (XSS) attacks when user-submitted CSS is embedded in HTML <style> tags. An attacker can inject CSS containing </style> sequences in property values to break out of the style context and execute arbitrary JavaScript in the victim's browser. This requires user interaction (UI:R) and affects applications that parse untrusted CSS and re-stringify it for embedding in HTML documents.

Technical ContextAI

PostCSS is a JavaScript tool that parses CSS into an Abstract Syntax Tree (AST), allowing programmatic analysis and transformation of CSS rules. The vulnerability resides in the AST stringification process, which converts the parsed AST back into CSS text for embedding in HTML documents. When CSS containing </style> sequences in property values (e.g., background-image URLs, content properties, or other string-valued declarations) is re-stringified without proper escaping, the closing tag breaks out of the HTML <style> context, allowing subsequent HTML or JavaScript to be interpreted. This is a classic context-escape vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where the tool fails to account for the embedding context's special characters. The issue affects any application using PostCSS versions before 8.5.10 to process untrusted CSS.

RemediationAI

Upgrade PostCSS to version 8.5.10 or later immediately. For applications that cannot upgrade immediately, implement input validation by rejecting CSS containing the literal string </style> before passing to PostCSS, or implement output encoding by HTML-escaping the stringified CSS before embedding in <style> tags (replacing < with &lt;, > with &gt;). Note that output encoding adds a minor performance cost and modifies the stringified output, potentially affecting CSS parsing if not applied correctly. The recommended fix is upgrading to 8.5.10, which addresses the root cause by properly escaping </style> sequences during stringification. Consult https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93 and https://github.com/postcss/postcss/releases/tag/8.5.10 for official remediation guidance.

Vendor StatusVendor

Share

CVE-2026-41305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy