Skip to main content

Grass

1 CVEs product

Monthly

CVE-2026-14651 LOW POC Monitor

Denial-of-service in the grass Sass compiler (up to v0.13.4) allows a local attacker with low privileges to trigger exponential resource consumption via a crafted stylesheet using the CSS @extend directive. The affected functions are grass_compiler::selector::extend and grass_compiler::evaluate::visitor, where the @extend algorithm's inherently exponential complexity can be exploited with a maliciously constructed input to hang or crash the compiler process. A public exploit has been disclosed; however, the project maintainer explicitly contests the severity, noting that DoS conditions are an accepted and expected limitation of Sass compilers by design.

Denial Of Service Grass
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
EPSS 0% CVSS 1.9
LOW POC Monitor

Denial-of-service in the grass Sass compiler (up to v0.13.4) allows a local attacker with low privileges to trigger exponential resource consumption via a crafted stylesheet using the CSS @extend directive. The affected functions are grass_compiler::selector::extend and grass_compiler::evaluate::visitor, where the @extend algorithm's inherently exponential complexity can be exploited with a maliciously constructed input to hang or crash the compiler process. A public exploit has been disclosed; however, the project maintainer explicitly contests the severity, noting that DoS conditions are an accepted and expected limitation of Sass compilers by design.

Denial Of Service Grass
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy