CVE-2026-56446

UNKNOWN 0.0

Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path in MISP

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process. The fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments.

CWE	CWE-94
Vendor	misp
Product	misp
Published	Jun 22, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for misp misp

Be the first to know when new unknown vulnerabilities affecting misp misp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

misp / misp

0 ≤ 2.5.41

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0

Credits

Jakub Chyliński Andras Iklody