CVE-2026-41305

Summary

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

Severity

medium

EPSS

0.2% (p9)

Also known as

GHSA-qx2v-qp2m-jg93

Published

2026-04-24

References

• https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93
• https://nvd.nist.gov/vuln/detail/CVE-2026-41305
• https://github.com/postcss/postcss

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity