CVE-2026-14651

Source
https://cve.org/CVERecord?id=CVE-2026-14651
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14651.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-14651
Downstream
Published
2026-07-04T20:15:13.522Z
Modified
2026-07-08T07:54:30.021838087Z
Severity
  • 1.9 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
connorskees grass visitor denial of service
Details

A vulnerability has been found in connorskees grass up to 0.13.4. The impacted element is the function grasscompiler::selector::extend/grasscompiler::evaluate::visitor. The manipulation leads to denial of service. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The project maintainer explains: "DoS vulnerabilities are generally fine in Sass compilers -- they are trivially possible with recursive functions, infinite loops, nested mixins, etc. The description here is wrong. Compile time is not expected to be linear relative to the input, and the @extend algorithm is definitionally exponential."

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "0.13.3"
                },
                {
                    "last_affected": "0.13.3"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14651.json",
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-404"
    ]
}
References

Affected packages

Git / github.com/connorskees/grass

Affected ranges

Type
GIT
Repo
https://github.com/connorskees/grass
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.13.0"
        },
        {
            "last_affected": "0.13.0"
        },
        {
            "introduced": "0.13.1"
        },
        {
            "last_affected": "0.13.1"
        },
        {
            "introduced": "0.13.2"
        },
        {
            "last_affected": "0.13.2"
        },
        {
            "introduced": "0.13.4"
        },
        {
            "last_affected": "0.13.4"
        }
    ]
}

Affected versions

0.*
0.13.0
0.13.1
0.13.2
0.13.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14651.json"