diff --git a/HISTORY.md b/HISTORY.md
index 4d14d0c..287aa0b 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,5 +1,22 @@
 # Sanitize History
 
+## 6.0.2 (2023-07-06)
+
+### Bug Fixes
+
+* CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
+  (cross-site scripting). This issue affects Sanitize versions 3.0.0 through
+  6.0.1.
+
+  When using Sanitize's relaxed config or a custom config that allows `<style>`
+  elements and one or more CSS at-rules, carefully crafted input could be used
+  to sneak arbitrary HTML through Sanitize.
+
+  See the following security advisory for additional details:
+  [GHSA-f5ww-cq3m-q3g7](https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7)
+
+  Thanks to @cure53 for finding this issue.
+
 ## 6.0.1 (2023-01-27)
 
 ### Bug Fixes
diff --git a/lib/sanitize/transformers/clean_css.rb b/lib/sanitize/transformers/clean_css.rb
index 4203bf6..fc26c61 100644
--- a/lib/sanitize/transformers/clean_css.rb
+++ b/lib/sanitize/transformers/clean_css.rb
@@ -48,6 +48,7 @@ def call(env)
     if css.strip.empty?
       node.unlink
     else
+      css.gsub!('</', '<\/')
       node.children.unlink
       node << Nokogiri::XML::Text.new(css, node.document)
     end
diff --git a/lib/sanitize/version.rb b/lib/sanitize/version.rb
index 0847cce..ce1fa6b 100644
--- a/lib/sanitize/version.rb
+++ b/lib/sanitize/version.rb
@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 class Sanitize
-  VERSION = '6.0.1'
+  VERSION = '6.0.2'
 end
diff --git a/test/test_malicious_css.rb b/test/test_malicious_css.rb
index 52c9539..eecedbd 100644
--- a/test/test_malicious_css.rb
+++ b/test/test_malicious_css.rb
@@ -39,4 +39,17 @@
   it 'should not allow behaviors' do
     _(@s.properties(%[behavior: url(xss.htc);])).must_equal ''
   end
+
+  describe 'sanitization bypass via CSS at-rule in HTML <style> element' do
+    before do
+      @s = Sanitize.new(Sanitize::Config::RELAXED)
+    end
+
+    it 'is not possible to prematurely end a <style> element' do
+      assert_equal(
+        %[<style>@media<\\/style><iframe srcdoc='<script>alert(document.domain)<\\/script>'>{}</style>],
+        @s.fragment(%[<style>@media</sty/**/le><iframe srcdoc='<script>alert(document.domain)</script>'></style>])
+      )
+    end
+  end
 end
