CVE-2026-56446
Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path in MISP
Description
MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process. The fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments.
INFO
Published Date :
June 22, 2026, 12:31 p.m.
Last Modified :
June 22, 2026, 12:31 p.m.
Remotely Exploit :
Yes !
Source :
CIRCL
Affected Products
The following products are affected by CVE-2026-56446
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | HIGH | 5a6e4751-2f3f-4070-9419-94fb35b644e8 |
Solution
- Configure log destinations to existing directories.
- Use absolute paths for log files.
- Validate log filenames and extensions.
- Do not allow stream wrappers or traversal characters.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-56446 vulnerability anywhere in the article.