CVE-2026-56446

June 22, 2026, 5:50 p.m.

8.7
High

Description

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process. The fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments.

Product(s) Impacted

Vendor Product Versions
Misp
  • Misp
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a misp misp / / / / / / / /

References

https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0

Tags

CWE-94
5a6e4751-2f3f-4070-9419-94fb35b644e8
2026-06-22
CVE-2026-56446

CVSS Score

8.7 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Attack Requirements: NONE
  • Privileges Required: HIGH
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 22, 2026, 2:17 p.m.
Last Modified: June 22, 2026, 5:50 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

5a6e4751-2f3f-4070-9419-94fb35b644e8

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.