PostCSS XSS Vulnerability CVE-2026-41305 Forces Dependency Override in Next.js Projects

A cross-site scripting vulnerability tracked as CVE-2026-41305 has prompted emergency remediation after revealing that PostCSS versions prior to 8.5.10 fail to properly escape `</style>` sequences during CSS AST stringification. The flaw creates a direct pathway for attackers to break out of style contexts, potentially enabling XSS attacks in applications that process untrusted CSS input. The severity of the issue is compounded by its presence in transitive dependencies, making straightforward package upgrades insufficient for complete remediation.

The vulnerability specifically affects PostCSS installations below version 8.5.10, but the remediation challenge runs deeper than a simple direct dependency bump. Next.js 16.2.3 ships with a pinned dependency on PostCSS 8.4.31—a version confirmed vulnerable to the XSS flaw. Even after projects upgraded their direct PostCSS devDependency to the patched version, the transitive dependency through Next.js remained exposed, leaving a silent attack vector embedded in the build chain. The fix required a Yarn resolutions override at the root package.json level, forcing all PostCSS instances—including those pulled in transitively—to resolve to version 8.5.10 or higher.

The incident highlights a persistent supply chain risk in modern JavaScript ecosystems: pinned transitive dependencies can silently reintroduce patched vulnerabilities even when direct dependencies are updated. Projects relying on Next.js or similar frameworks with locked sub-dependencies may remain exposed unless maintainers conduct full dependency tree audits or implement resolution overrides. Development teams processing user-supplied CSS or operating in content-rich environments should verify their PostCSS resolution paths immediately, as the XSS vector could be exploited in any workflow where untrusted styles are parsed and rendered.