CVE-2026-14651

LOW

connorskees grass visitor denial of service

Title source: cna
STIX 2.1

Description

A vulnerability has been found in connorskees grass up to 0.13.4. The impacted element is the function grass_compiler::selector::extend/grass_compiler::evaluate::visitor. The manipulation leads to denial of service. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The project maintainer explains: "DoS vulnerabilities are generally fine in Sass compilers -- they are trivially possible with recursive functions, infinite loops, nested mixins, etc. The description here is wrong. Compile time is not expected to be linear relative to the input, and the @extend algorithm is definitionally exponential."

References (6)

Core 6
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-376164 | connorskees grass visitor denial of service
https://vuldb.com/vuln/376164
Signature, Permissions Required signature permissions-required
VDB-376164 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/376164/cti
Third Party Advisory third-party-advisory
CVE-2026-14651 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-14651
Third Party Advisory third-party-advisory
Submit #846667 | grass 0.13.4 Asymmetric Resource Consumption
https://vuldb.com/submit/846667
Exploit exploit issue-tracking
https://github.com/connorskees/grass/issues/117

Scores

CVSS v3 3.3
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Details

CWE
CWE-404
Status published
Products (5)
connorskees/grass 0.13.0
connorskees/grass 0.13.1
connorskees/grass 0.13.2
connorskees/grass 0.13.3
connorskees/grass 0.13.4
Published Jul 04, 2026
Tracked Since Jul 05, 2026