Medium severity6.1NVD Advisory· Published Apr 24, 2026· Updated Apr 24, 2026
CVE-2026-41305
CVE-2026-41305
Description
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape ` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML ` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
postcssnpm | < 8.5.10 | 8.5.10 |
Affected products
23- osv-coords22 versionspkg:apk/chainguard/homepagepkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/keep-uipkg:apk/chainguard/keep-ui-fipspkg:apk/chainguard/langfuse-2pkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-2pkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/pelias-apipkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/vitepkg:apk/chainguard/vitess-23pkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/vitepkg:apk/wolfi/vitess-23pkg:npm/postcss
< 1.13.2-r1+ 21 more
- (no CPE)range: < 1.13.2-r1
- (no CPE)range: < 2.11.0-r23
- (no CPE)range: < 0.51.0-r6
- (no CPE)range: < 0.51.0-r6
- (no CPE)range: < 2.95.12-r22
- (no CPE)range: < 2.95.12-r22
- (no CPE)range: < 3.164.0-r8
- (no CPE)range: < 2.95.12-r24
- (no CPE)range: < 2.95.12-r24
- (no CPE)range: < 3.164.0-r7
- (no CPE)range: < 7.8.0-r0
- (no CPE)range: < 43.166.2-r0
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 8.0.11-r0
- (no CPE)range: < 23.0.4-r2
- (no CPE)range: < 2.11.0-r23
- (no CPE)range: < 3.164.0-r8
- (no CPE)range: < 43.166.2-r0
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 8.0.11-r0
- (no CPE)range: < 23.0.4-r2
- (no CPE)range: < 8.5.10
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.