cssparser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFYNONE, meaning any HTTPS certificate—even entirely untrusted—will be accepted without validation. This vulnerability is fixed in 2.1.0 and 1.22.0.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-295",
"CWE-829"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44312.json"
}{
"source": [
"AFFECTED_FIELD",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.0"
},
{
"introduced": "0"
},
{
"fixed": "1.22.0"
}
]
}