PT-2026-38404 · Rubygems · Css Parser

Jlleitschuh

Published

2026-05-07

Updated

2026-05-14

CVE-2026-44312

CVSS v3.1

5.8

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions css parser versions prior to 1.22.0 css parser versions prior to 2.1.0

Description The software fails to validate HTTPS connections when loading stylesheets, which allows a Man-in-the-Middle (MITM) attacker to inject or modify CSS content. This occurs because the connection is established using OpenSSL::SSL::VERIFY NONE, causing the system to accept any HTTPS certificate, including untrusted ones, without validation. The issue is located in the http.verify mode setting within the lib/css parser/parser.rb file.

Recommendations Update to version 1.22.0. Update to version 2.1.0.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295CWE-829

Related Identifiers

CVE-2026-44312

GHSA-FF6C-W6QF-7XQC

Affected Products

Css Parser

PT-2026-38404 · Rubygems · Css Parser

CVE-2026-44312

Weakness Enumeration

Related Identifiers

Affected Products

References · 13