PostCSS has XSS via Unescaped </style> in its CSS Stringify Output (CVE-2026-41305)
Answered
Silver posted this in #help-forum
SilverOP
`postcss <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix --force`
Will install next@9.3.3, which is a breaking change
node_modules/postcss
next 9.3.4-canary.0 - 16.3.0-canary.5
Depends on vulnerable versions of postcss
node_modules/nextAnswered by Silver
It looks like it is already getting addressed. It is just pending the stable release.
Original issue: https://github.com/vercel/next.js/issues/93234
Update: https://github.com/vercel/next.js/pull/93288
Original issue: https://github.com/vercel/next.js/issues/93234
Update: https://github.com/vercel/next.js/pull/93288
12 Replies
@B33fb0n3 Little bro is using Next.js 9.3.4. He needs to be on 16.3.0. 
Why is he so behind on updates wtf
@GravityExploitz ✦ Why is he so behind on updates wtf
lets wait for his information about it, so we can help him further 🙂
It says he’s on next 9.3.3 going to 9.3.4. If he updates to 16 or 15, he will be fine.
He shouldn’t be on next 9 in the first place lol
So many vulnerabilities
SilverOP
@GravityExploitz ✦ @B33fb0n3 No lmao. It is saying to downgrade to v9.3.3 to resolve the issue
I'm on v16.2.4 (stable)
SilverOP
It looks like it is already getting addressed. It is just pending the stable release.
Original issue: https://github.com/vercel/next.js/issues/93234
Update: https://github.com/vercel/next.js/pull/93288
Original issue: https://github.com/vercel/next.js/issues/93234
Update: https://github.com/vercel/next.js/pull/93288
Answer
@GravityExploitz ✦ Click to see attachment
SilverOP
Yup, I saw that too. But an "unlikely" security concern is still an issue.