CVE-2026-44363

MEDIUM

Unsafe remote resource fetching in expansion misp-modules

Title source: cna

Description

MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification. This vulnerability is fixed in 3.0.7.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/MISP/misp-modules/security/advisories/GHSA-fhq3-2gf3-8f3j

X_Refsource_Misc x_refsource_misc

https://github.com/MISP/misp-modules/commit/01a522f2772fc31eeed379ccf23750c8a3d401db

View Writeup ZIP pw:eip

Scores

CVSS v4 5.8

EPSS 0.0001

EPSS Percentile 0.4%

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295 CWE-918

Status published

Products (2)

MISP/misp-modules < 3.0.7

pypi/misp-modules 0 - 3.0.7PyPI

Published May 13, 2026

Tracked Since May 14, 2026