CVE Catalog

CVE-2026-44381

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile - higher than 13% of all known CVEs

Summary

In MISP, prior to version 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. An attacker could craft a malicious ordering parameter to manipulate the generated SQL query.

Risk Assessment

This vulnerability could lead to unauthorized access to data, modification of query behavior, or other database-level impacts, depending on database permissions and query context.

Recommendation

It is recommended to upgrade MISP to version 2.5.37 or later to mitigate this vulnerability.

Original NVD description (English source)

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS