Skip to main content

MISP CVE-2026-44381

| EUVDEUVD-2026-30168 CRITICAL
SQL Injection (CWE-89)
2026-05-13 GitHub_M
9.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 08:28 vuln.today
Patch available
May 13, 2026 - 22:03 EUVD
CVSS changed
May 13, 2026 - 21:22 NVD
9.3 (CRITICAL)

DescriptionCVE.org

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37.

AnalysisAI

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to manipulate ORDER BY clauses in event and shadow attribute listing endpoints by supplying crafted ordering parameters. The CVSS 4.0 score of 9.3 reflects high impact across confidentiality, integrity, and availability, though EPSS exploitation probability sits at just 0.04% and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach MISP web interface over network
Delivery
Authenticate or access listing endpoint
Exploit
Submit crafted sort/order parameter
Execution
Inject SQL into ORDER BY clause
Impact
Extract or modify threat intelligence data

Vulnerability AssessmentAI

Exploitation Attacker must be able to reach the MISP web application's event listing or shadow attribute listing endpoints over the network and must supply the vulnerable sort/order request parameter; while the CVSS 4.0 vector specifies PR:N (no privileges), the description's wording 'an attacker with access to the affected endpoints' suggests an authenticated MISP user session is the realistic precondition for most deployments - defenders should confirm endpoint auth requirements against the GHSA advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals diverge sharply here and warrant careful weighting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to a vulnerable MISP instance issues an HTTP request to an event or shadow attribute listing endpoint, supplying a crafted value in the sort or order parameter (for example a SQL fragment, time-based blind injection payload, or stacked subquery) that gets concatenated into the ORDER BY clause. Depending on database privileges, the attacker can extract event content and attributes through blind or error-based techniques, infer schema, or alter query behavior to retrieve unauthorized intelligence records. …
Remediation Upgrade to MISP 2.5.37 or later, which is the vendor-released patch containing the fix per the GHSA-4cxp-22wm-j6jr advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all MISP deployments and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

CVE-2026-10860 HIGH
7.9 Jun 04

Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev

Share

CVE-2026-44381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy