CVE-2026-44381

MEDIUM

MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings

Title source: cna

Description

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/MISP/MISP/security/advisories/GHSA-4cxp-22wm-j6jr

Scores

CVSS v3 5.3

EPSS 0.0023

EPSS Percentile 13.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (2)

misp/misp < 2.5.37

MISP/MISP < 2.5.37

Published May 13, 2026

Tracked Since May 14, 2026