Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-44381— MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings

EPSS 0.04% · P11
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-44381

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings
Source: NVD (National Vulnerability Database)
Vulnerability Description
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
MISP SQL注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MISP是MISP开源的一套开源的软件解决方案。该产品用于收集、存储、分发、共享网络安全指标,并具有威胁网络安全事件分析和恶意软件分析等功能。 MISP 2.5.37之前版本存在SQL注入漏洞,该漏洞源于事件和影子属性列表端点中用户控制的排序参数处理存在SQL注入,攻击者可构造恶意排序参数操纵SQL查询。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
MISPMISP < 2.5.37 -

II. Public POCs for CVE-2026-44381

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-44381

登录查看更多情报信息。

Same Patch Batch · MISP · 2026-05-13 · 5 CVEs total

CVE-2026-44363Unsafe remote resource fetching in expansion misp-modules
CVE-2026-44379MISP: Improper UUID validation in MISP Collections
CVE-2026-44364misp-modules website - Missing CSRF protection in the website home blueprint
CVE-2026-44380MISP: Improper access control in auth key reset allows privilege escalation to site admin

IV. Related Vulnerabilities

Same product: MISP
Same vendor: MISP
Same weakness: CWE-89

V. Comments for CVE-2026-44381

No comments yet

Leave a comment