To me at least it reads funny because when I think of CSS I think of the language itself and not the accompanying tools that are then running the CSS.

Saying "Markdown has a CVE" would sound equally off. I'm aware that its not actually CSS having the vulnerability but when simplified that's what it sounds like.