CVE-2026-44312: CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content
(updated )
The CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFY_NONE, meaning any HTTPS certificate—even entirely untrusted—will be accepted without validation.
References
- github.com/advisories/GHSA-ff6c-w6qf-7xqc
- github.com/premailer/css_parser
- github.com/premailer/css_parser/commit/35e689c904225add78e0c488cf04bad052666449
- github.com/premailer/css_parser/commit/e0c95d5abe91b237becb90ff316531a6547ada18
- github.com/premailer/css_parser/issues/185
- github.com/premailer/css_parser/security/advisories/GHSA-ff6c-w6qf-7xqc
- nvd.nist.gov/vuln/detail/CVE-2026-44312
Code Behaviors & Features
Detect and mitigate CVE-2026-44312 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →