2481006 – (CVE-2026-9358) CVE-2026-9358 postcss-selector-parser: Postcss: Denial of Service via uncontrolled recursion in AST Serialization

Bug 2481006 (CVE-2026-9358) - CVE-2026-9358 postcss-selector-parser: Postcss: Denial of Service via uncontrolled recursion in AST Serialization

Summary: CVE-2026-9358 postcss-selector-parser: Postcss: Denial of Service via uncontr...

Keywords:
Status:	NEW
Alias:	CVE-2026-9358
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-24 07:01 UTC by OSIDB Bzimport
Modified:	2026-06-15 09:58 UTC (History)
CC List:	168 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-24 07:01:11 UTC

A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)."

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
abrianik
abuckta
akostadi
alcohan
alizardo
amasferr
anpicker
anthomas
anujha
aschwart
asoldano
aszczucz
ataylor
bbaranow
bbrownin
bdettelb
bmaxwell
boliveir
bparees
brasmith
bstansbe
cdrage
chfoley
cmah
cmyers
cochase
dbruscin
dfreiber
dhanak
dkuc
dlofthou
dmayorov
dnakabaa
doconnor
dranck
drichtar
drosa
drow
dschmidt
dymurray
eaguilar
ebaron
eborisov
ehelms
erezende
ewittman
fdeutsch
fmariani
ggainey
ggrzybek
gmalinko
gotiwari
gparvin
hasun
ibek
ibolton
istudens
ivassile
iweiss
janstey
jbalunas
jburrell
jchui
jfula
jgrulich
jhe
jhorak
jkoehler
jlanda
jlledo
jmatthew
jmontleo
jolong
jowilson
jraez
jrokos
juwatts
jwong
jwon
kaycoth
kshier
ktsao
kvanderr
lball
lchilton
lcouzens
lphiri
manissin
mcarlett
mhulan
mnovotny
mosmerov
mposolda
mstipich
msvehla
mvyas
nboldt
ngough
nipatil
nmoumoul
nwallace
nyancey
oaljalju
omaciel
ometelka
orabin
oramraz
osousa
pahickey
pantinor
parichar
pberan
pcreech
pdelbell
pesilva
pgaikwad
pjindal
pmackay
psrna
ptisnovs
rchan
rexwhite
rgodfrey
rhaigner
rhel-process-autobot
rjohnson
rkubis
rmartinc
rstancel
rstepani
rushinde
sausingh
sdawley
sdoran
sfeifer
simaishi
slucidi
smaestri
smallamp
smcdonal
smullick
sseago
ssilvert
stcannon
sthirugn
sthorger
stirabos
swoodman
syedriko
tasato
tcunning
teagle
thason
thjenkin
tmalecek
tpopela
tsedmik
ttakamiy
vdosoudi
veshanka
vkumar
vmuzikar
watson-tool-maintainers
xdharmai
yfang
yguenane