PostCSS <8.5.10 Vulnerability: Unescaped </style> Tag Enables XSS via CSS Stringify

A confirmed cross-site scripting (XSS) vulnerability in the PostCSS CSS parser has been identified, affecting all versions prior to 8.5.10. The flaw—tracked as GHSA-qx2v-qp2m-jg93—allows an attacker to inject unescaped `</style>` sequences when stringifying CSS containing attacker-controlled content. When that output is later embedded into an HTML `<style>` block, the malformed tag breaks out of the style context, enabling arbitrary markup or JavaScript execution in the victim's browser.

The vulnerability carries a CVSS 3.1 score of 6.1 (moderate), classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue was discovered on April 25, 2026, during a routine weekly security audit. The affected version resolved in the lockfile is postcss 8.5.8, pulled transitively through [email protected] as a development dependency. While the exposure path currently appears limited to dev-only tooling, any build pipeline that feeds PostCSS output directly into HTML `<style>` blocks without sanitization faces potential risk.

The maintainers have patched the issue in version 8.5.10. Organizations using PostCSS in asset compilation or CSS-in-JS workflows should verify their dependency trees and upgrade immediately. The npm audit flag for this vulnerability is marked as "moderate," but teams processing user-supplied content through PostCSS should treat the risk as elevated given the clear injection vector. Further scrutiny of how CSS stringify output is handled downstream in build systems and templating frameworks is warranted.