Query Manipulation Vulnerability in MISP's Correlations Controller
CVE-2026-10863

6.4MEDIUM

Key Information:

Vendor: Misp
Status: Misp
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-10863?

A security flaw was identified in the CorrelationsController of MISP, where the over-correlations endpoint permitted an authenticated user to manipulate the query order via user-defined parameters. This could lead to unintended consequences such as altering database query execution and potentially revealing sensitive data. The applied patch rectifies this issue by eliminating user control over ordering parameters, enforcing a server-defined ordering mechanism to enhance security.

Affected Version(s)

misp 0 <= 2.5.38

References

https://github.com/MISP/MISP/commit/aa094a335ba2855f8a42a...

patch

CVSS V4

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

Jeroen Pinoy

Andras Iklody

CVE-2026-10863 Data

JSON

Misp

What is CVE-2026-10863?

Affected Version(s)

References

CVSS V4

Timeline

Credit