CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53727

highcovered by 1 sourcefirst seen 2026-07-09
Summary CssParser::Parser#read_remote_file (and therefore load_uri!, and the @import-following branch of add_block!) issues HTTP/HTTPS requests against any host, port and URI it is handed, with no scheme allowlist, no host / IP filtering, and no protection against link-local, loopback or RFC‑1918 addresses. Location: redirects are followed recursively back into the same function, which also services file:// URIs, so a single attacker-controlled HTTP redirect upgrades the bug from SSRF to arbitrary local file disclosure. In practice, any consumer of css_parser that hands it attacker‑influenced CSS together with a base_uri: option — Premailer being the canonical example — is exposed. The attacker only needs the ability to land one @import url(...) in the CSS that the host application parses. Vulnerable code lib/css_parser/parser.rb#L613-L687: def read_remote_file(uri) # :nodoc: ... begin uri = Addressable::URI.parse(uri.to_s) if uri.scheme == 'file' local file path = uri.path path.gsub!(%r{^/}, '') if Gem.win_platform? src = File.read(path, mode: 'rb') # <-- arbitrary local read else remote file if uri.scheme == 'https' uri.port = 443 unless uri.port http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true else http = Net::HTTP.new(uri.host, uri.port) # <-- arbitrary host:port end res = http.get(uri.request_uri, ...) ... elsif res.code.to_i >= 300 and res.code.to_i < 400 unless res['Location'].nil? return read_remote_file Addressable::URI.parse(...) # <-- cross-scheme redirect end end ... There is no validation of uri.host, uri.scheme, or the resolved IP address — neither before the HTTP request, nor before the recursive call on the Location header. The user-facing entry points that reach this sink are: - Parser#load_uri! — directly calls read_remote_file (line 513). - Parser#add_block! — when invoked with base_uri: and the default import: true, scans the CSS for @import url(...) rules and resolves each one through load_uri! (line 150). Threat model

⚡ Watch CVE-2026-53727

Get an email if CVE-2026-53727 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53727

CVE.org record

Embed the live status

CVE-2026-53727 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53727 status](https://www.csirts.com/badge/CVE-2026-53727)](https://www.csirts.com/cve/CVE-2026-53727)