Bug 2461366 (CVE-2026-41305) - CVE-2026-41305 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
Summary: CVE-2026-41305 postcss: PostCSS: Cross-Site Scripting (XSS) via improper esca...
Keywords:
Status: NEW
Alias: CVE-2026-41305
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-24 03:01 UTC by OSIDB Bzimport
Modified: 2026-07-02 16:56 UTC (History)
145 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-24 03:01:32 UTC
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.


Note You need to log in before you can comment on or make changes to this bug.