CVE-2026-9358

Exploit

EPSS 0.33%
Veröffentlicht 24.05.2026 05:30:09
Zuletzt bearbeitet 15.06.2026 08:16:22
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

postcss-selector-parser AST Serialization container.js toString recursion

A vulnerability was determined in postcss-selector-parser up to 6.1.2/7.1.2. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 6.1.3 and 7.1.3 is able to address this issue. This patch is called 5bc698cef66f8abd12610dc623e5d67cbc0f869d. It is suggested to upgrade the affected component. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)." The commits were backported to 6.x branch, which was the most downloaded version.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 10

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellern/a

≫

Produkt postcss-selector-parser

Version 6.1.0

Status affected

Version 6.1.1

Status affected

Version 6.1.2

Status affected

Version 7.1.0

Status affected

Version 7.1.1

Status affected

Version 7.1.2

Status affected

Version 6.1.3

Status unaffected

Version 7.1.3

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.241

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@vuldb.com	2.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
cna@vuldb.com	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-404 Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

https://vuldb.com/vuln/365321

https://vuldb.com/vuln/365321/cti

https://vuldb.com/submit/813080

https://gist.github.com/bx33661/581e3a38134601c04e19b4dfc9b459b9

https://github.com/postcss/postcss-selector-parser/commit/5bc698cef66f8abd12610dc623e5d67cbc0f869d

https://github.com/postcss/postcss-selector-parser/releases/tag/7.1.3

https://vuldb.com/cve/CVE-2026-9358

https://nvd.nist.gov/vuln/detail/CVE-2026-9358

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-9358

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-9358

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-9358