Security Vulnerability Report
中文
CVE-2026-44312 CVSS 5.8 MEDIUM

CVE-2026-44312

Published: 2026-05-14 17:16:22
Last Modified: 2026-05-14 18:13:34
Source: [email protected]

Description

css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFY_NONE, meaning any HTTPS certificate—even entirely untrusted—will be accepted without validation. This vulnerability is fixed in 2.1.0 and 1.22.0.

CVSS Details

CVSS Score
5.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

css_parser < 2.1.0
css_parser < 1.22.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Ruby PoC to demonstrate the vulnerability in css_parser < 2.1.0 # This script shows that the parser loads content from a URL with an invalid SSL certificate. require 'css_parser' # A URL with a self-signed or expired certificate (e.g., badssl.com) target_url = 'https://expired.badssl.com/' parser = CssParser::Parser.new puts "Attempting to load CSS from: #{target_url}" puts "Note: This site has an expired certificate and should fail in a secure environment." begin # In vulnerable versions, this succeeds because VERIFY_NONE is used parser.load_uri!(target_url) puts "[VULNERABLE] Successfully loaded CSS despite invalid certificate!" puts "Loaded Rules Count: #{parser.rules.length}" rescue => e puts "[SAFE/ERROR] Connection failed as expected: #{e.message}" end

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-44312", "sourceIdentifier": "[email protected]", "published": "2026-05-14T17:16:22.393", "lastModified": "2026-05-14T18:13:33.660", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFY_NONE, meaning any HTTPS certificate—even entirely untrusted—will be accepted without validation. This vulnerability is fixed in 2.1.0 and 1.22.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-829"}]}], "references": [{"url": "https://github.com/premailer/css_parser/commit/35e689c904225add78e0c488cf04bad052666449", "source": "[email protected]"}, {"url": "https://github.com/premailer/css_parser/commit/e0c95d5abe91b237becb90ff316531a6547ada18", "source": "[email protected]"}, {"url": "https://github.com/premailer/css_parser/issues/185", "source": "[email protected]"}, {"url": "https://github.com/premailer/css_parser/security/advisories/GHSA-ff6c-w6qf-7xqc", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.