Bug 2461366 (CVE-2026-41305)

Summary: CVE-2026-41305 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, akostadi, alcohan, alizardo, amasferr, anpicker, anthomas, anujha, aschwart, asoldano, aszczucz, bbaranow, bbrownin, bdettelb, bmaxwell, boliveir, bparees, brasmith, bstansbe, cdrage, chfoley, cmah, cmyers, cochase, dkeler, dlofthou, dmayorov, dnakabaa, doconnor, dranck, drichtar, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, erezende, ewittman, fdeutsch, ggainey, ggrzybek, gmalinko, gotiwari, gparvin, hasun, ibolton, istudens, ivassile, iweiss, janstey, jbalunas, jchui, jfula, jhe, jhorak, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jpasqual, jraez, juwatts, jwong, kaycoth, kshier, ktsao, lball, lchilton, lcouzens, lphiri, manissin, mhulan, mosmerov, mposolda, msvehla, mvyas, nboldt, ngough, nipatil, nmoumoul, nwallace, nyancey, oaljalju, omaciel, ometelka, oramraz, osousa, pahickey, pantinor, parichar, pberan, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, prwatson, psrna, ptisnovs, rchan, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rkubis, rmartinc, rstancel, rstepani, rushinde, sdawley, sfeifer, simaishi, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, ssilvert, stcannon, sthorger, stirabos, suppawar, swoodman, syedriko, tasato, teagle, thason, thjenkin, tmalecek, tsedmik, ttakamiy, vdosoudi, veshanka, vmuzikar, watson-tool-maintainers, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in PostCSS. This vulnerability allows a remote attacker to perform Cross-Site Scripting (XSS) by submitting specially crafted CSS. When PostCSS processes and re-stringifies this CSS for embedding within HTML `<style>` tags, it fails to properly escape `</style>` sequences. This oversight enables the injected `</style>` to prematurely close the HTML style block, allowing the attacker to inject malicious scripts and execute arbitrary code in the user's browser context.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-24 03:01:32 UTC
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.