CVE-2026-41305

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41305.json"
}

References

Affected packages

Git / github.com/postcss/postcss

Affected ranges

Type

GIT

Repo

https://github.com/postcss/postcss

Events

Introduced

Fixed

33b9790263dc1562a46ce45d9532bd63e95b7986

Database specific

{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.5.10"
        }
    ]
}

Affected versions

0.*

0.1

0.2

0.3

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

1.*

1.0.0

2.*

2.0.0

2.1.0

2.1.1

2.1.2

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.1.0

4.1.1

4.1.10

4.1.11

4.1.12

4.1.13

4.1.14

4.1.15

4.1.16

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

5.*

5.0.0

5.0.1

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

5.0.18

5.0.19

5.0.2

5.0.20

5.0.21

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.1.0

5.1.1

5.1.2

5.2.0

5.2.1

5.2.10

5.2.11

5.2.12

5.2.13

5.2.14

5.2.15

5.2.16

5.2.17

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

6.*

6.0.0

6.0.1

6.0.10

6.0.11

6.0.12

6.0.13

6.0.14

6.0.15

6.0.16

6.0.17

6.0.18

6.0.19

6.0.2

6.0.20

6.0.21

6.0.22

6.0.23

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

6.0.9

7.*

7.0.0

7.0.1

7.0.10

7.0.11

7.0.12

7.0.13

7.0.14

7.0.15

7.0.16

7.0.17

7.0.18

7.0.19

7.0.2

7.0.20

7.0.21

7.0.22

7.0.23

7.0.24

7.0.25

7.0.26

7.0.27

7.0.28

7.0.29

7.0.3

7.0.30

7.0.31

7.0.32

7.0.4

7.0.5

7.0.6

7.0.7

7.0.8

7.0.9

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.0.7

8.0.8

8.0.9

8.1.0

8.1.1

8.1.10

8.1.11

8.1.12

8.1.13

8.1.14

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.2.0

8.2.1

8.2.10

8.2.11

8.2.12

8.2.13

8.2.14

8.2.15

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.2.9

8.3.0

8.3.1

8.3.10

8.3.11

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.3.9

8.4.0

8.4.1

8.4.10

8.4.11

8.4.12

8.4.13

8.4.14

8.4.15

8.4.16

8.4.17

8.4.18

8.4.19

8.4.2

8.4.20

8.4.21

8.4.22

8.4.23

8.4.24

8.4.25

8.4.26

8.4.27

8.4.28

8.4.29

8.4.3

8.4.30

8.4.31

8.4.32

8.4.33

8.4.34

8.4.35

8.4.36

8.4.37

8.4.38

8.4.39

8.4.4

8.4.40

8.4.41

8.4.42

8.4.43

8.4.44

8.4.45

8.4.46

8.4.47

8.4.48

8.4.49

8.4.5

8.4.6

8.4.7

8.4.8

8.4.9

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41305.json"