CVE-2026-14650
LowCVSS 3.3Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A flaw in grass up to version 0.13.4 allows a local denial of service via the grass_compiler::raw_to_parse_error function in the UTF-8 Character Handler component. The project maintainer considers DoS vulnerabilities acceptable in Sass compilers.
Risk Assessment
The risk for the organization is a potential local disruption of applications using the vulnerable library, which may cause service interruptions or development process delays.
Recommendation
Update grass to version 0.13.5 or later if available. If not possible, restrict local access to systems using this library.
Original NVD description (English source)
A flaw has been found in connorskees grass up to 0.13.4. The affected element is the function grass_compiler::raw_to_parse_error of the component UTF-8 Character Handler. Executing a manipulation can lead to denial of service. The attack is restricted to local execution. The exploit has been published and may be used. In Issue #117 with similar structure the project maintainer explains: "DoS vulnerabilities are generally fine in Sass compilers -- they are trivially possible with recursive functions, infinite loops, nested mixins, etc. The description here is wrong. Compile time is not expected to be linear relative to the input, and the @extend algorithm is definitionally exponential."

