CVE-2026-56446 | MISP allowed a site administrator to configure an arbitrary … | CVSS 8.7 HIGH

Description

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process. The fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments.

Metadata

CVE ID: CVE-2026-56446
State: PUBLISHED
Assigner: CIRCL
Reserved: 2026-06-22 12:31 UTC
Published: 2026-06-22 12:31 UTC
Last updated: 2026-06-22 12:31 UTC
Primary CWE: CWE-94
CWE-94 Improper Control of Generation of Code ('Code Injecti…
Vendor / Product: misp / misp
Sources: cve.org · NVD

Severity & Metrics

8.7 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
misp	misp	—	0 ≤ 2.5.41

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

References (1)

https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0