Description
MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification. This vulnerability is fixed in 3.0.7.
Published: 2026-05-13
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The html_to_markdown module accepted arbitrary HTTP(S) URLs without validating the scheme or the target address, enabling a server‑side request forgery (SSRF) that could reach loopback, private, or link‑local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing these requests to man‑in‑the‑middle attacks. Together, an attacker who can supply input to these modules may cause the MISP server to fetch internal resources or capture tampered responses, compromising confidentiality and integrity.

Affected Systems

All MISP module releases before 3.0.7 are affected, including the html_to_markdown and qrcode modules. The vulnerability is specific to the MISP:misp-modules package and its expansion modules.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the KEV catalog. Exploitation would require an attacker able to supply URLs to the vulnerable modules, which is typically possible through unauthenticated or privileged access to MISP event inputs or module configuration. The likely attack vector is a remote attacker controlling the module input. Once exploited, the attacker may access internal network resources or tamper with external images received by the server.

Generated by OpenCVE AI on May 13, 2026 at 22:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MISP modules to version 3.0.7 or later, which includes validation of URL schemes, blocking of local address ranges, hostname resolution, request timeouts, and re‑enabled TLS certificate verification.
  • Restrict usage of the html_to_markdown and qrcode modules to authenticated administrators or trusted users, and consider disabling or quarantining any modules that accept untrusted input.
  • Enforce network segmentation or firewall rules to block outgoing connections from the MISP server to loopback, private, or link‑local address ranges, and enforce TLS verification for all external requests.

Generated by OpenCVE AI on May 13, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fhq3-2gf3-8f3j misp-modules has nsafe remote resource fetching in expansion
History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp-modules
Vendors & Products Misp
Misp misp-modules

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification. This vulnerability is fixed in 3.0.7.
Title Unsafe remote resource fetching in expansion misp-modules
Weaknesses CWE-295
CWE-918
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Misp Misp-modules
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:31:25.989Z

Reserved: 2026-05-05T20:15:20.631Z

Link: CVE-2026-44363

cve-icon Vulnrichment

Updated: 2026-05-14T12:31:20.369Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T20:16:23.007

Modified: 2026-05-14T16:54:37.963

Link: CVE-2026-44363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:43Z

Weaknesses