CVE-2026-9358

MEDIUM 4.3

postcss AST Serialization container.js toString recursion

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

10th

A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)."

CWE	CWE-674 CWE-404
Vendor	n/a
Product	postcss
Published	May 24, 2026
Last Updated	May 29, 2026

Stay Ahead of the Next One

Get instant alerts for n/a postcss

Be the first to know when new medium vulnerabilities affecting n/a postcss are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

n/a / postcss

7.1.0 7.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/365321 vuldb.com: https://vuldb.com/vuln/365321/cti vuldb.com: https://vuldb.com/submit/813080 gist.github.com: https://gist.github.com/bx33661/581e3a38134601c04e19b4dfc9b459b9

Credits

🔍 bx33661 (VulDB User) VulDB CNA Team