🔐 CVE Alert

CVE-2026-60125

UNKNOWN 0.0

importModule function in MISP ignores per-organisation import module restrictions

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

MISP’s importModule() path used getEnabledModule() to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by getEnabledModules(). As a result, an authenticated user from an organisation that was not allowed to use a module restricted via Plugin.Import_<module>_restrict could still invoke that import module directly if they knew its name. This could allow unauthorised access to restricted import-module functionality and, depending on the module and the user’s event permissions, may allow unauthorised import or modification of event data through a module that should have been unavailable to the user’s organisation.

CWE CWE-863
Vendor misp
Product misp
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for misp misp

Be the first to know when new unknown vulnerabilities affecting misp misp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

misp / misp
0 ≤ 2.5.42

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/MISP/MISP/commit/0ed79b4d3177f4b9e44040962161a1a436d2587d

Credits

Sami Mokaddem Berk Polat Claude Opus 4.8 (1M context) aka Claudy