CVE-2026-44363
Description
MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification. This vulnerability is fixed in 3.0.7.
Patches
101a522f2772fchg: [html_to_markdown] black fix
1 file changed · +3 −1
misp_modules/modules/expansion/html_to_markdown.py+3 −1 modified@@ -27,7 +27,6 @@ } - BLOCKED_RANGES = [ ipaddress.ip_network("127.0.0.0/8"), ipaddress.ip_network("10.0.0.0/8"), @@ -37,6 +36,7 @@ ipaddress.ip_network("::1/128"), ] + def _is_ip_blocked(ip_str: str) -> bool: ip = ipaddress.ip_address(ip_str) return any(ip in net for net in BLOCKED_RANGES) @@ -59,12 +59,14 @@ def is_safe_url(url: str) -> bool: except ValueError: return not _hostname_resolves_to_blocked_ip(parsed.hostname) + def fetchHTML(url): if not is_safe_url(url): raise ValueError(f"Blocked URL: {url}") r = requests.get(url, timeout=10) return r.text + def stripUselessTags(html): soup = BeautifulSoup(html, "html.parser") toRemove = ["script", "head", "header", "footer", "meta", "link"]
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.