CVE-2026-44363

Source
https://cve.org/CVERecord?id=CVE-2026-44363
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44363.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44363
Aliases
Published
2026-05-13T19:16:59.579Z
Modified
2026-07-13T16:43:14.327841976Z
Severity
  • 5.8 (Medium) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
Unsafe remote resource fetching in expansion misp-modules
Details

MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification. This vulnerability is fixed in 3.0.7.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-295",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44363.json"
}
References

Affected packages

Git / github.com/misp/misp-modules

Affected ranges

Type
GIT
Repo
https://github.com/misp/misp-modules
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.0.7"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v2.*
v2.4.110
v2.4.113
v2.4.116
v2.4.118
v2.4.119
v2.4.120
v2.4.121
v2.4.134
v2.4.136
v2.4.137
v2.4.141
v2.4.142
v2.4.143
v2.4.144
v2.4.145
v2.4.147
v2.4.148
v2.4.150
v2.4.151
v2.4.153
v2.4.154
v2.4.156
v2.4.157
v2.4.159
v2.4.160
v2.4.162
v2.4.163
v2.4.171
v2.4.172
v3.*
v3.0.6
v3.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44363.json"