CVE-2026-9358

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-9358
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-9358.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-9358
Downstream
Published
2026-05-24T05:30:09.671Z
Modified
2026-06-18T03:56:05.808929893Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
postcss-selector-parser AST Serialization container.js toString recursion
Details

A vulnerability was determined in postcss-selector-parser up to 6.1.2/7.1.2. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 6.1.3 and 7.1.3 is able to address this issue. This patch is called 5bc698cef66f8abd12610dc623e5d67cbc0f869d. It is suggested to upgrade the affected component. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)." The commits were backported to 6.x branch, which was the most downloaded version.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9358.json",
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-404",
        "CWE-674"
    ]
}
References

Affected packages

Git / github.com/postcss/postcss-selector-parser

Affected ranges

Type
GIT
Repo
https://github.com/postcss/postcss-selector-parser
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5bc698cef66f8abd12610dc623e5d67cbc0f869d
Fixed
7893b741fa87d0401e39c3a7f00d89cf7408ad32
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.1.0"
        },
        {
            "last_affected": "6.1.1"
        },
        {
            "last_affected": "6.1.2"
        },
        {
            "last_affected": "7.1.0"
        },
        {
            "last_affected": "7.1.1"
        },
        {
            "last_affected": "7.1.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

5.*
5.0.0
5.0.0-rc.2
5.0.0-rc.4
6.*
6.0.0
6.0.1
6.0.2
7.*
7.1.2
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v2.*
v2.0.0
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v3.*
v3.0.0
v3.0.0-rc.0
v3.1.0
v3.1.1
v4.*
v4.0.0
v4.0.0-rc.0
v4.0.0-rc.1
v5.*
v5.0.0-rc.0
v5.0.0-rc.1
v5.0.0-rc.3
v6.*
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.0.15
v6.0.16
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1.0
v6.1.1
v6.1.2
v7.*
v7.0.0
v7.1.0
v7.1.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-9358.json"