CVE-2026-62143

Source
https://cve.org/CVERecord?id=CVE-2026-62143
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-62143.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-62143
Published
2026-07-13T07:52:08.643Z
Modified
2026-07-16T03:48:47.911105602Z
Severity
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:Y/RE:M/U:Green CVSS Calculator
Summary
Server-Side Request Forgery protection bypass in misp-modules html_to_markdown via IPv4-mapped IPv6 addresses
Details

A Server-Side Request Forgery (SSRF) protection bypass existed in the htmltomarkdown expansion module of misp-modules.

The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges without first normalising IPv4-mapped IPv6 addresses.

An authenticated attacker able to invoke the module could supply an IPv4-mapped IPv6 address, such as:

http://[::ffff:127.0.0.1]/ http://[::ffff:169.254.169.254]/

Alternatively, the attacker could use a hostname that resolves to an IPv4-mapped IPv6 address. These addresses were treated as IPv6 addresses and therefore did not match the corresponding blocked IPv4 ranges.

Successful exploitation could cause the misp-modules server to connect to services available through its loopback interface, internal network, or link-local network. This could expose internal web services, administrative interfaces, or cloud instance metadata, with retrieved content potentially returned to the attacker as converted Markdown.

The vulnerability has been addressed by normalising IPv4-mapped IPv6 addresses to their underlying IPv4 representation before applying the blocked-range checks. URLs without a valid hostname are now also rejected.

Database specific
{
    "cna_assigner": "CIRCL",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/62xxx/CVE-2026-62143.json"
}
References

Affected packages

Git / github.com/misp/misp-modules

Affected ranges

Type
GIT
Repo
https://github.com/misp/misp-modules
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "v3.0.8"
        }
    ]
}

Affected versions

v2.*
v2.4.110
v2.4.113
v2.4.116
v2.4.118
v2.4.119
v2.4.120
v2.4.121
v2.4.134
v2.4.136
v2.4.137
v2.4.141
v2.4.142
v2.4.143
v2.4.144
v2.4.145
v2.4.147
v2.4.148
v2.4.150
v2.4.151
v2.4.153
v2.4.154
v2.4.156
v2.4.157
v2.4.159
v2.4.160
v2.4.162
v2.4.163
v2.4.171
v2.4.172
v3.*
v3.0.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-62143.json"