Which versions of PHP are affected by CVE-2026-39962?

MISP (Malware Information Sharing Platform) versions before 2.5.36 contain an LDAP injection vulnerability that allows unauthenticated attackers to bypass authentication and access threat…. A patch is available.

PHP CVE-2026-39962

Q: What is the CVSS score of CVE-2026-39962?

CVE-2026-39962 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-20966 HIGH

LDAP Injection (CWE-90)

2026-04-09 GitHub_M

PHP Authentication Bypass LDAP Code Injection

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 23, 2026 - 15:23 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 06:00 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2.5.36

EUVD ID Assigned

Apr 09, 2026 - 17:15 euvd

EUVD-2026-20966

Analysis Generated

Apr 09, 2026 - 17:15 vuln.today

CVE Published

Apr 09, 2026 - 16:37 nvd

HIGH 8.8

DescriptionNVD

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.

AnalysisAI

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers to bypass authentication and execute unauthorized LDAP queries. The vulnerability exists in ApacheAuthenticate.php when administrators configure apacheEnv to use user-controlled server variables instead of REMOTE_USER in proxy deployments. …

RemediationAI

Within 24 hours: Identify all MISP instances and document which are deployed with Apache authentication using apacheEnv configuration (review ApacheAuthenticate.php settings and proxy configurations). Within 7 days: Upgrade all vulnerable MISP instances to version 2.5.36 or later; if immediate upgrade is not feasible, restrict network access to MISP to trusted internal subnets only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39962 vulnerability details – vuln.today

Back

PHP CVE-2026-39962

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

PHP CVE-2026-39962

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code