PT-2026-34839 · Postcss · Postcss

Published

2026-04-24

Updated

2026-05-21

CVE-2026-41305

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions PostCSS versions prior to 8.5.10

Description PostCSS transforms CSS files into an Abstract Syntax Tree (AST) to analyze and modify rules. The software fails to escape </style> sequences when stringifying CSS ASTs. If user-submitted CSS is parsed and then re-stringified for embedding within HTML <style> tags, the </style> sequence in CSS values can break out of the style context, allowing for Cross-Site Scripting (XSS).

Recommendations Update to version 8.5.10.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-41305

GHSA-QX2V-QP2M-JG93

Affected Products

Postcss

PT-2026-34839 · Postcss · Postcss

CVE-2026-41305

Weakness Enumeration

Related Identifiers

Affected Products

References · 12