CVE-2026-44381

Name of the Vulnerable Software and Affected Versions MISP versions prior to 2.5.37

Description An issue exists in the handling of user-controlled ordering parameters within the event and shadow attribute listing endpoints. The software accepts order or sort values from request parameters and incorporates them into database query ordering clauses without sufficient validation of the requested field name. This allows an attacker to craft a malicious ordering parameter to manipulate the generated SQL query, which could lead to unauthorized data access or modification of query behavior depending on database permissions.

Recommendations Update to version 2.5.37.