PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

Unanswered

Silver posted this in #help-forum

Open in Discord

SilverOP

2026-05-04T17:00:23.171Z

`postcss  <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix --force`
Will install next@9.3.3, which is a breaking change
node_modules/postcss
  next  9.3.4-canary.0 - 16.3.0-canary.5
  Depends on vulnerable versions of postcss
  node_modules/next

7 Replies

GravityExploitz ✦

2026-05-04T19:47:56.751Z

@B33fb0n3 Little bro is using Next.js 9.3.4. He needs to be on 16.3.0.

Why is he so behind on updates wtf

@GravityExploitz ✦ Why is he so behind on updates wtf

2026-05-04T19:55:12.045Z

lets wait for his information about it, so we can help him further 🙂

@B33fb0n3 lets wait for his information about it, so we can help him further 🙂

GravityExploitz ✦

2026-05-04T19:56:16.662Z

It says he’s on next 9.3.3 going to 9.3.4. If he updates to 16 or 15, he will be fine.

He shouldn’t be on next 9 in the first place lol

So many vulnerabilities