Man-in-the-Middle Vulnerability in css_parser Ruby CSS Parser by Premailer
CVE-2026-44312

5.8MEDIUM

Key Information:

Vendor

Premailer

Status
Css Parser
Vendor
CVE Published:
14 May 2026

What is CVE-2026-44312?

The css_parser gem prior to versions 2.1.0 and 1.22.0 lacks proper validation for HTTPS connections, which can leave applications open to Man-in-the-Middle (MITM) attacks. This occurs because the gem defaults to OpenSSL::SSL::VERIFY_NONE, meaning that it will accept any HTTPS certificate without validation, including those that are untrusted. As a result, attackers can potentially inject or modify CSS content during transmission, compromising the integrity of the web pages that utilize this gem. It is essential for users to update to versions 2.1.0 or 1.22.0 or later to protect their applications from this vulnerability.

Affected Version(s)

css_parser >= 2.0.0, < 2.1.0 < 2.0.0, 2.1.0

css_parser < 1.22.0 < 1.22.0

References

https://github.com/premailer/css_parser/security/advisori...
x_refsource_CONFIRM
https://github.com/premailer/css_parser/issues/185
x_refsource_MISC
https://github.com/premailer/css_parser/commit/35e689c904...
x_refsource_MISC

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.