CVE-2026-10863

EPSS 0.23%
Veröffentlicht 04.06.2026 13:44:49
Zuletzt bearbeitet 22.06.2026 19:23:18
Quelle 5a6e4751-2f3f-4070-9419-94fb35
CVE-Watchlists
Login
Unerledigt
Login

MISP User-controlled order parameter in correlations over-correlation endpoint

A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this could allow manipulation of database query ordering and potentially expose the application to unsafe query construction.



The patch removes order from the set of request-controlled parameters and instead sets the ordering server-side to occurrence desc after processing allowed user parameters.



Affected component:
app/Controller/CorrelationsController.php, overCorrelations()



Security impact:
An authenticated attacker could influence the ordering clause used by the over-correlations query. The direct impact appears limited to query manipulation unless further evidence confirms SQL injection or unauthorized data exposure through the manipulated ordering expression.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Misp-project ≫ Misp Version < 2.5.39

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.128

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
5a6e4751-2f3f-4070-9419-94fb35b644e8	6.4	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/MISP/MISP/commit/aa094a335ba2855f8a42a1dc44398f43560fe247

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-10863

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-10863

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-10863

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-10863