VulnerableCode Package Details - pkg:pypi/misp-modules@2.4.199

Search for packages

Vulnerability	Summary	Fixed by
VCID-hhn3-e7zz-audm Aliases: CVE-2026-44363 GHSA-fhq3-2gf3-8f3j	MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification. This vulnerability is fixed in 3.0.7.	There are no reported fixed by versions.
VCID-ndeh-dr3m-mkgq Aliases: CVE-2026-44364 GHSA-j4rh-7jcr-qm69	MISP modules are autonomous modules that can be used to extend MISP for new services. In 3.0.7 and earlier, a Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability was due to the home blueprint being exempted from CSRF protection. This could allow modification of session query data in the context of the authenticated user. The issue was fixed by enabling CSRF protection for the affected blueprint and hardening query parsing.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-hhn3-e7zz-audm
Aliases:
CVE-2026-44363
GHSA-fhq3-2gf3-8f3j

MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally, the qrcode module disabled TLS certificate verification when retrieving remote images, exposing requests to potential man-in-the-middle interception or response tampering. The issue was fixed by validating URL schemes, blocking local and private address ranges, resolving hostnames before fetching, enforcing request timeouts, and re-enabling TLS certificate verification. This vulnerability is fixed in 3.0.7.

There are no reported fixed by versions.

VCID-ndeh-dr3m-mkgq
Aliases:
CVE-2026-44364
GHSA-j4rh-7jcr-qm69

MISP modules are autonomous modules that can be used to extend MISP for new services. In 3.0.7 and earlier, a Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability was due to the home blueprint being exempted from CSRF protection. This could allow modification of session query data in the context of the authenticated user. The issue was fixed by enabling CSRF protection for the affected blueprint and hardening query parsing.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:22:47.029356+00:00	GitLab Importer	Affected by	VCID-hhn3-e7zz-audm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/misp-modules/CVE-2026-44363.yml	38.6.0
2026-06-12T22:22:45.387444+00:00	GitLab Importer	Affected by	VCID-ndeh-dr3m-mkgq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/misp-modules/CVE-2026-44364.yml	38.6.0

2026-06-12T22:22:47.029356+00:00

GitLab Importer

Affected by

VCID-hhn3-e7zz-audm

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/misp-modules/CVE-2026-44363.yml

38.6.0

2026-06-12T22:22:45.387444+00:00

GitLab Importer

Affected by

VCID-ndeh-dr3m-mkgq

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/misp-modules/CVE-2026-44364.yml

38.6.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.5