CVE-2026-9358 - Medium Severity Vulnerability
Vulnerable Libraries - postcss-selector-parser-6.0.2.tgz, postcss-selector-parser-5.0.0.tgz, postcss-selector-parser-3.1.2.tgz
postcss-selector-parser-6.0.2.tgz
> Selector parser with built in methods for working with selector strings.
Library home page: https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-selector-parser/package.json
Dependency Hierarchy:
- nuxt-2.14.3.tgz (Root Library)
- webpack-2.14.3.tgz
- css-loader-3.6.0.tgz
- postcss-modules-scope-2.2.0.tgz
- ❌ postcss-selector-parser-6.0.2.tgz (Vulnerable Library)
postcss-selector-parser-5.0.0.tgz
> Selector parser with built in methods for working with selector strings.
Library home page: https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-dir-pseudo-class/node_modules/postcss-selector-parser/package.json,/node_modules/postcss-pseudo-class-any-link/node_modules/postcss-selector-parser/package.json,/node_modules/css-has-pseudo/node_modules/postcss-selector-parser/package.json,/node_modules/postcss-custom-selectors/node_modules/postcss-selector-parser/package.json
Dependency Hierarchy:
- nuxt-2.14.3.tgz (Root Library)
- webpack-2.14.3.tgz
- postcss-preset-env-6.7.0.tgz
- postcss-custom-selectors-5.1.2.tgz
- ❌ postcss-selector-parser-5.0.0.tgz (Vulnerable Library)
postcss-selector-parser-3.1.2.tgz
> Selector parser with built in methods for working with selector strings.
Library home page: https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-minify-selectors/node_modules/postcss-selector-parser/package.json,/node_modules/stylehacks/node_modules/postcss-selector-parser/package.json,/node_modules/postcss-merge-rules/node_modules/postcss-selector-parser/package.json
Dependency Hierarchy:
- nuxt-2.14.3.tgz (Root Library)
- webpack-2.14.3.tgz
- cssnano-4.1.10.tgz
- cssnano-preset-default-4.0.7.tgz
- postcss-merge-rules-4.0.3.tgz
- ❌ postcss-selector-parser-3.1.2.tgz (Vulnerable Library)
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
Vulnerability Details
A vulnerability was determined in postcss-selector-parser up to 6.1.2/7.1.2. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 6.1.3 and 7.1.3 is able to address this issue. This patch is called 5bc698cef66f8abd12610dc623e5d67cbc0f869d. It is suggested to upgrade the affected component. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)." The commits were backported to 6.x branch, which was the most downloaded version.
Publish Date: 2026-05-24
URL: CVE-2026-9358
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2026-9358 - Medium Severity Vulnerability
postcss-selector-parser-6.0.2.tgz
> Selector parser with built in methods for working with selector strings.
Library home page: https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-selector-parser/package.json
Dependency Hierarchy:
postcss-selector-parser-5.0.0.tgz
> Selector parser with built in methods for working with selector strings.
Library home page: https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-dir-pseudo-class/node_modules/postcss-selector-parser/package.json,/node_modules/postcss-pseudo-class-any-link/node_modules/postcss-selector-parser/package.json,/node_modules/css-has-pseudo/node_modules/postcss-selector-parser/package.json,/node_modules/postcss-custom-selectors/node_modules/postcss-selector-parser/package.json
Dependency Hierarchy:
postcss-selector-parser-3.1.2.tgz
> Selector parser with built in methods for working with selector strings.
Library home page: https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-3.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-minify-selectors/node_modules/postcss-selector-parser/package.json,/node_modules/stylehacks/node_modules/postcss-selector-parser/package.json,/node_modules/postcss-merge-rules/node_modules/postcss-selector-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
A vulnerability was determined in postcss-selector-parser up to 6.1.2/7.1.2. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 6.1.3 and 7.1.3 is able to address this issue. This patch is called 5bc698cef66f8abd12610dc623e5d67cbc0f869d. It is suggested to upgrade the affected component. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)." The commits were backported to 6.x branch, which was the most downloaded version.
Publish Date: 2026-05-24
URL: CVE-2026-9358
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here