Remote Resource Fetching Vulnerability in MISP Modules by MISP
CVE-2026-44363

5.8MEDIUM

Key Information:

Vendor: Misp
Status: Misp-modules
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44363?

MISP Modules before version 3.0.7 have an unsafe remote resource fetching vulnerability that could lead to Server-Side Request Forgery (SSRF). The vulnerability arises in the html_to_markdown module, which inadequately validates user-provided HTTP(S) URLs, potentially allowing unauthorized access to loopback, private, or link-local resources. Additionally, the qrcode module's failure to enforce TLS certificate verification when fetching remote images increases the risk of man-in-the-middle attacks, resulting in response tampering. The issue was addressed by implementing strict URL validation, blocking access to local and private addresses, resolving hostnames prior to fetching, enforcing request timeouts, and reinstating TLS certificate verification in version 3.0.7.

Affected Version(s)

misp-modules < 3.0.7

References

https://github.com/MISP/misp-modules/security/advisories/...

x_refsource_CONFIRM

https://github.com/MISP/misp-modules/commit/01a522f2772fc...

x_refsource_MISC

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44363 Data

JSON

Misp

What is CVE-2026-44363?

Affected Version(s)

References

CVSS V4

Timeline