CVE-2026-56446

HIGH EPSS 30.1%
Published Jun 22, 20261w ago · Modified Jun 23, 20266d ago
8.7 CVSS 4.0
High
Find Similar
Published Jun 22, 2026 1w ago
Last Modified Jun 23, 2026 6d ago

Description

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process. The fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
30.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 1

VendorProductVersionRange
misp-projectmisp* <2.5.42

References 1

  • github.com https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0
    Patch

Remediation

  • github.com https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0
    Patch