CVE-2026-41305

6.1

MEDIUM CVSS 3.1

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

Overview

Description

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.

Details

INFO

Published Date :

April 24, 2026, 3:16 a.m.

Last Modified :

April 24, 2026, 5:16 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]

Impact

Affected Products

The following products are affected by CVE-2026-41305 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID	Vendor	Product	Action
1	Postcss	postcss

: Total Affected Vendor : 1 | Products : 1

Scoring

CVSS Scores

The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.

Score	Version	Severity	Vector	Exploitability Score	Impact Score	Source
	CVSS 3.1	MEDIUM				[email protected]

Solution

Update PostCSS to version 8.5.10 or later to fix XSS vulnerabilities.

Update PostCSS to version 8.5.10 or later.
Verify CSS escaping to prevent XSS.
Ensure HTML style tags are sanitized.

Public PoC/Exploit Available at Github

CVE-2026-41305 has a 4 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-41305.

URL	Resource
https://github.com/postcss/postcss/releases/tag/8.5.10
https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93
https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-41305 is associated with the following CWEs:

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-41305 weaknesses.

CAPEC-63: Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) CAPEC-85: AJAX Footprinting AJAX Footprinting CAPEC-209: XSS Using MIME Type Mismatch XSS Using MIME Type Mismatch CAPEC-588: DOM-Based XSS DOM-Based XSS CAPEC-591: Reflected XSS Reflected XSS CAPEC-592: Stored XSS Stored XSS

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

fxeliott/fxmily

Fxmily — suivi comportemental des membres de la formation de trading (PWA, Next.js 16 + Prisma 7)

JavaScript TypeScript CSS

Updated: 5 days, 12 hours ago

0 stars 0 fork 0 watcher

Born at : May 5, 2026, 2:26 p.m. This repo has been linked 2 different CVEs too.

Rwx-G/Lorica

A modern, secure, dashboard-first reverse proxy built in Rust. Single binary, embedded control plane, optional WAF. Powered by Pingora.

control-plane reverse-proxy sysops waf

Rust Shell HTML Svelte CSS TypeScript JavaScript Dockerfile Python Go

Updated: 2 weeks ago

20 stars 3 fork 3 watcher

Born at : March 29, 2026, 2:40 p.m. This repo has been linked 1 different CVEs too.

Ktiseos-Nyx/Ktiseos-Nyx-Trainer

AI model trainer with SD-Scripts support, as well as standard auto-tagging, step calculator, and real-time training monitoring. Featuring Civitai model downloading, model merging and more. NextJS/React Based UI with Shadcn components.

lora nextjs15 shadcn-ui stable-diffusion flux-architecture machine-learning nodejs sd-scripts trainer training

Python Shell Batchfile JavaScript TypeScript CSS

Updated: 1 week, 5 days ago

16 stars 1 fork 1 watcher

Born at : Oct. 8, 2025, 1:44 a.m. This repo has been linked 1 different CVEs too.

sininspira2/ResourceTracker

Inventory Tracker for Dune: Awakening

JavaScript TypeScript CSS

Updated: 1 week, 4 days ago

2 stars 8 fork 8 watcher

Born at : Aug. 5, 2025, 5:05 p.m. This repo has been linked 2 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-41305 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-41305 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

Apr. 24, 2026

Action	Type	Old Value	New Value
Added	Reference		https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93

New CVE Received by [email protected]