CVE-2026-44312— css_parser allows to MITM included https css urls
Possible ATT&CK Techniques 3AI
T1048 · Exfiltration Over Alternative Protocol T1190 · Exploit Public-Facing Application T1557 · Adversary-in-the-MiddleAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| premailer | css_parser | >= 2.0.0, < 2.1.0 | affected |
< 1.22.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44312
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
css_parser allows to MITM included https css urls
Source: NVD (National Vulnerability Database)
Vulnerability Description
css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFY_NONE, meaning any HTTPS certificate—even entirely untrusted—will be accepted without validation. This vulnerability is fixed in 2.1.0 and 1.22.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
从非可信控制范围包含功能例程
Source: NVD (National Vulnerability Database)
Vulnerability Title
Ruby CSS Parser 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Ruby CSS Parser是premailer开源的一个用于加载、解析和级联CSS规则集的工具。 Ruby CSS Parser 2.1.0之前版本和1.22.0之前版本存在信任管理问题漏洞,该漏洞源于未验证HTTPS连接,使用OpenSSL::SSL::VERIFY_NONE建立连接,导致中间人攻击者可在通过HTTPS加载样式表时注入或修改CSS内容。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| premailer | css_parser | >= 2.0.0, < 2.1.0 | - |
II. Public POCs for CVE-2026-44312
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44312
请登录查看更多情报信息。
- https://github.com/premailer/css_parser/issues/185x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-44312
IV. Related Vulnerabilities
Same weakness: CWE-829
- CVE-2026-7373
Metasploit Pro on Windows: Local Privilege Escalation via Op - CVE-2026-44995
OpenClaw < 2026.4.20 - Arbitrary Code Execution via MCP stdi - CVE-2026-45184
Kdenlive 安全漏洞 - CVE-2026-43571
OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Res - CVE-2026-43569
OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablem
V. Comments for CVE-2026-44312
No comments yet