CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/20 12:24 a.m.•2 views

MAL-2026-4450 Malicious code in @tailwind-core/postcss (npm)

5.9AI score

Tenable Nessus•added 2026/05/13 12:0 a.m.•4 views

Linux Distros Unpatched Vulnerability : CVE-2026-44301

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node- based asset pipelines PostCSS, Babel, TailwindCSS, Hugo...

8.6CVSS5.5AI score0.00044EPSS

Exploits0References3

NVD•added 2026/05/12 10:16 p.m.•8 views

CVE-2026-44301

Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...

8.6CVSS0.00044EPSS

OSV•added 2026/05/12 10:16 p.m.•4 views

UBUNTU-CVE-2026-44301

Debian CVE•added 2026/05/12 9:37 p.m.•6 views

Exploits0References3

CVE-2026-44301

CVE•added 2026/05/12 9:37 p.m.•22 views

Exploits0

CVE-2026-44301

Hugo (static site generator) versions 0.43 through 0.160.x are vulnerable when building a site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS). The vulnerability arises because Hugo invoked the configured Node tools without restrictions on file system access, potentially allowi...

Exploits0References1Affected Software1

Cvelist•added 2026/05/12 9:37 p.m.•32 views

CVE-2026-44301 Hugo: Node tool execution allows file system access outside the project directory

8.6CVSS0.00044EPSS

Vulnrichment•added 2026/05/12 9:37 p.m.•5 views

CVE-2026-44301 Hugo: Node tool execution allows file system access outside the project directory

Snyk•added 2026/05/06 8:59 p.m.•3 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the execution of Node-based asset pipelines such as PostCSS, Babel, or TailwindCSS. An attacker can gain unauthorized access to files outside the intended project directory by executing code through these tools wh...

8.6CVSS6.3AI score0.00044EPSS

Exploits0References2

IBM Security Bulletins•added 2026/05/04 9:34 a.m.•4 views

Security Bulletin: Resolved a vulnerability in PostCSS versions prior to 8.5.10

Summary Versions prior to 8.5.10 have a vulnerability enabling XSS, we updated the version of PostCSS to version 8.5.10 which resolved the issue Vulnerability Details CVEID:CVE-2026-41305 DESCRIPTION: PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the...

6.1CVSS5.8AI score0.00011EPSS

Exploits0Affected Software1

RedhatCVE•added 2026/04/25 11:39 a.m.•2 views

CVE-2026-41305

A flaw was found in PostCSS. This vulnerability allows a remote attacker to perform Cross-Site Scripting XSS by submitting specially crafted CSS. When PostCSS processes and re-stringifies this CSS for embedding within HTML sequences. This oversight enables the injected...

Tenable Nessus•added 2026/04/25 12:0 a.m.•4 views

Exploits0References5

Linux Distros Unpatched Vulnerability : CVE-2026-41305

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do...

6.1CVSS5.8AI score0.00011EPSS

Exploits0References4

Patchstack•added 2026/04/24 3:31 p.m.•2 views

NPM: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

NPM: PostCSS has XSS via Unescaped in its CSS Stringify Output vulnerability discovered by ? in WordPress Npm postcss versions 8.5.10...

6.1CVSS5.8AI score0.00011EPSS

Exploits0References4Affected Software1

Github Security Blog•added 2026/04/24 3:31 p.m.•95 views

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

PostCSS: XSS via Unescaped in CSS Stringify Output Summary PostCSS v8.5.5 latest does not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS values breaks out of the style context, enabling XSS. Proof of Concept...

Exploits0References4Affected Software1

OSV•added 2026/04/24 3:31 p.m.•0 views

GHSA-QX2V-QP2M-JG93 PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

Snyk•added 2026/04/24 4:18 a.m.•3 views

Exploits0References4

Cross-site Scripting (XSS)

Overview postcss is a PostCSS is a tool for transforming styles with JS plugins. Affected versions of this package are vulnerable to Cross-site Scripting XSS in CSS Stringify Output. An attacker can execute arbitrary JavaScript code in the context of the affected web page by submitting crafted CS...

6.1CVSS5.5AI score0.00011EPSS

Exploits0References2

Snyk•added 2026/04/24 4:18 a.m.•2 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:postcss is a PostCSS is a tool for transforming styles with JS plugins. Affected versions of this package are vulnerable to Cross-site Scripting XSS in CSS Stringify Output. An attacker can execute arbitrary JavaScript code in the context of the affected web page by...

6.1CVSS5.5AI score0.00011EPSS

Exploits0References2

OSV•added 2026/04/24 3:16 a.m.•0 views

DEBIAN-CVE-2026-41305

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS...