{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/misp/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MISP \u003c 2.5.37"],"_cs_severities":["high"],"_cs_tags":["misp","vulnerability","sqli","privilege-escalation","security-policy-bypass"],"_cs_type":"advisory","_cs_vendors":["MISP"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been discovered in MISP (Malware Information Sharing Platform and Threat Sharing) versions prior to 2.5.37. These flaws could allow a remote attacker to perform a variety of malicious actions, including escalating privileges to gain unauthorized access, injecting SQL code to potentially read or modify database contents, and bypassing existing security policies to execute restricted operations. These vulnerabilities pose a significant risk to organizations using MISP for threat intelligence, potentially leading to data breaches, unauthorized access to sensitive information, or disruption of threat intelligence operations. Users should upgrade to version 2.5.37 or later as soon as possible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable MISP instance running a version prior to 2.5.37.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL injection payload designed to exploit a SQLi vulnerability within the MISP application, potentially targeting input fields or API endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted SQL injection payload to the vulnerable MISP instance through a web request or API call.\u003c/li\u003e\n\u003cli\u003eThe MISP application improperly processes the malicious SQL payload, leading to the execution of attacker-controlled SQL commands against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a privilege escalation vulnerability to gain elevated privileges within the MISP application, potentially bypassing access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the security policy bypass vulnerability to circumvent security restrictions and execute unauthorized actions within the MISP system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data stored within the MISP instance, such as threat intelligence reports, indicators of compromise (IOCs), or user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data or uses the compromised system to launch further attacks against other systems or organizations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to sensitive threat intelligence data stored within MISP, potentially impacting organizations relying on MISP for security operations. An attacker could steal sensitive data, modify existing intelligence, or inject false information, impacting trust in the platform. While the number of victims is not specified in the report, any organization using a vulnerable version of MISP is at risk. The severity of impact would depend on the sensitivity of the data stored within the compromised MISP instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade MISP to version 2.5.37 or later to remediate the vulnerabilities as per the vendor\u0026rsquo;s security bulletin.\u003c/li\u003e\n\u003cli\u003eDeploy web application firewall (WAF) rules to detect and block SQL injection attempts targeting MISP, mitigating potential SQLi exploitation.\u003c/li\u003e\n\u003cli\u003eMonitor MISP logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious activity, such as unexpected SQL errors or unauthorized access attempts, to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-misp-vulns/","summary":"Multiple vulnerabilities in MISP versions prior to 2.5.37 allow attackers to perform privilege escalation, SQL injection (SQLi), and security policy bypass.","title":"Multiple Vulnerabilities in MISP Threat Intelligence Platform","url":"https://feed.craftedsignal.io/briefs/2026-04-misp-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — MISP","version":"https://jsonfeed.org/version/1.1"}