LOW
postcss
CVE published 2026-05-24
CVE-2026-9358
A vulnerability in postcss up to version 7.1.1 allows uncontrolled recursion in the `toString` function of `src/selectors/container.js` during AST serialization. An attacker can trigger this remotely by manipulating user-generated CSS input, leading to denial of service through stack exhaustion. The vendor has publicly stated that server-side DoS on user-generated CSS is considered low risk, as most users [truncated]