VulnerableCode Package Details - pkg:npm/postcss@5.1.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-dq4c-cvs1-9qce Aliases: CVE-2026-41305 GHSA-qx2v-qp2m-jg93	PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.	8.5.10 Affected by 0 other vulnerabilities.
VCID-hvjq-h8w2-kug3 Aliases: CVE-2023-44270 GHSA-7fh5-64p2-3v2j	An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.	8.4.31 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-zfzz-5p91-j7g9 Aliases: CVE-2021-23382 GHSA-566m-qj78-rww5	Regular Expression Denial of Service in postcss	7.0.36 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.2.13 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-dq4c-cvs1-9qce
Aliases:
CVE-2026-41305
GHSA-qx2v-qp2m-jg93

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.

8.5.10
Affected by 0 other vulnerabilities.

VCID-hvjq-h8w2-kug3
Aliases:
CVE-2023-44270
GHSA-7fh5-64p2-3v2j

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

8.4.31
Affected by 1 other vulnerability.

VCID-zfzz-5p91-j7g9
Aliases:
CVE-2021-23382
GHSA-566m-qj78-rww5

Regular Expression Denial of Service in postcss

7.0.36
Affected by 2 other vulnerabilities.

8.2.13
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:13:31.906581+00:00	GitLab Importer	Affected by	VCID-dq4c-cvs1-9qce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/postcss/CVE-2026-41305.yml	38.6.0
2026-06-12T19:07:18.786731+00:00	GitLab Importer	Affected by	VCID-hvjq-h8w2-kug3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/postcss/CVE-2023-44270.yml	38.6.0
2026-06-12T17:38:16.176977+00:00	GitLab Importer	Affected by	VCID-zfzz-5p91-j7g9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/postcss/CVE-2021-23382.yml	38.6.0