CVE-2026-41305 MEDIUM

CVE-2026-41305: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

Vendor Postcss

Product postcss

Weakness CWE-79 · XSS

Published April 24, 2026

Last update April 24, 2026

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.

Key dates

02Disclosure timeline

April 24, 2026 CVE published

April 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41305 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-30800 WordPress Gum Elementor Addon plugin <= 1.3.10 - Cross Site Scripting (XSS) vulnerability CVE-2026-35013 Open ISES Tickets < 3.44.2 Reflected XSS via street_view.php thelat and thelng Parameters CVE-2024-8717 PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – DearFlip <= 2.3.32 - Reflected Cross-Site Scripting CVE-2024-10875 Gallery Manager <= 1.6.58 - Reflected Cross-Site Scripting CVE-2025-23623 WordPress Contact Form 7 – CCAvenue Add-on plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability