216.73.217.22

CVE-2026-44381

· Published 13/05/2026 21:16 · Modified 14/05/2026 16:57

Labels: CVE-2026-44381 2026-05-13CVE-2026-44381CWE-89[email protected]

Essential information

Published
13/05/2026 21:16
Modified
14/05/2026 16:57
Author
Creator
CVSS
9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
misp / misp cpe:2.3:a:misp:misp:<2.5.37:*:*:*:*:*:*:*

References