ByteOS Network

NVD Vulnerability Details :

CVE-2026-41305

Deferred

Source-security-advisories@github.com

Published At-24 Apr, 2026 | 03:16

Updated At-24 Apr, 2026 | 17:16

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 6.1

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CWE ID	Type	Source
CWE-79	Secondary	security-advisories@github.com

CWE ID: CWE-79

Type: Secondary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/postcss/postcss/releases/tag/8.5.10	security-advisories@github.com	N/A
https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93	security-advisories@github.com	N/A
https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A