CVE-2026-60125

Source
https://cve.org/CVERecord?id=CVE-2026-60125
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-60125.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-60125
Published
2026-07-08T13:36:53.507Z
Modified
2026-07-15T01:49:10.069378449Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:L CVSS Calculator
Summary
importModule function in MISP ignores per-organisation import module restrictions
Details

MISP’s importModule() path used getEnabledModule() to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by getEnabledModules(). As a result, an authenticated user from an organisation that was not allowed to use a module restricted via Plugin.Import<module>restrict could still invoke that import module directly if they knew its name.

This could allow unauthorised access to restricted import-module functionality and, depending on the module and the user’s event permissions, may allow unauthorised import or modification of event data through a module that should have been unavailable to the user’s organisation.

Database specific
{
    "cna_assigner": "CIRCL",
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/60xxx/CVE-2026-60125.json"
}
References

Affected packages

Git / github.com/misp/misp

Affected ranges

Type
GIT
Repo
https://github.com/misp/misp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.5.42"
        }
    ]
}

Affected versions

Other
codename/tellurium
rm
v0.*
v0.2
v2.*
v2.3.0
v2.4.0
v2.4.1
v2.4.10
v2.4.100
v2.4.101
v2.4.102
v2.4.106
v2.4.107
v2.4.109
v2.4.11
v2.4.110
v2.4.111
v2.4.118
v2.4.120
v2.4.121
v2.4.122
v2.4.123
v2.4.125
v2.4.127
v2.4.128
v2.4.13
v2.4.130
v2.4.133
v2.4.134
v2.4.136
v2.4.137
v2.4.14
v2.4.15
v2.4.152
v2.4.153
v2.4.16
v2.4.17
v2.4.175
v2.4.18
v2.4.183
v2.4.184
v2.4.185
v2.4.186
v2.4.187
v2.4.188
v2.4.189
v2.4.190
v2.4.191
v2.4.192
v2.4.193
v2.4.194
v2.4.195
v2.4.196
v2.4.2
v2.4.20
v2.4.21
v2.4.22
v2.4.23
v2.4.24
v2.4.25
v2.4.26
v2.4.27
v2.4.3
v2.4.34
v2.4.35
v2.4.36
v2.4.37
v2.4.38
v2.4.39
v2.4.4
v2.4.43
v2.4.45
v2.4.46
v2.4.47
v2.4.48
v2.4.5
v2.4.50
v2.4.51
v2.4.52
v2.4.53
v2.4.54
v2.4.56
v2.4.57
v2.4.58
v2.4.59
v2.4.60
v2.4.61
v2.4.62
v2.4.63
v2.4.64
v2.4.65
v2.4.7
v2.4.78
v2.4.80
v2.4.82
v2.4.83
v2.4.85
v2.4.86
v2.4.87
v2.4.88
v2.4.89
v2.4.9
v2.4.91
v2.4.93
v2.4.94
v2.4.95
v2.4.96
v2.4.98
v2.5.0
v2.5.10
v2.5.11
v2.5.12
v2.5.13
v2.5.14
v2.5.15
v2.5.16
v2.5.17
v2.5.18
v2.5.19
v2.5.20
v2.5.21
v2.5.22
v2.5.23
v2.5.24
v2.5.25
v2.5.26
v2.5.27
v2.5.28
v2.5.29
v2.5.30
v2.5.31
v2.5.32
v2.5.33
v2.5.34
v2.5.35
v2.5.36
v2.5.37
v2.5.7
v2.5.8
v2.5.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-60125.json"