CVE-2026-44364: misp-modules website - Missing CSRF protection in the website home blueprint

May 6, 2026

A Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability was due to the home blueprint being exempted from CSRF protection. This could allow modification of session query data in the context of the authenticated user. The issue was fixed by enabling CSRF protection for the affected blueprint and hardening query parsing. As reported by Bilal Teke.

References

github.com/MISP/misp-modules
github.com/MISP/misp-modules/commit/52cda9caa003cafe87e14ae3721db5e16f6f111a
github.com/MISP/misp-modules/security/advisories/GHSA-j4rh-7jcr-qm69
github.com/advisories/GHSA-j4rh-7jcr-qm69
nvd.nist.gov/vuln/detail/CVE-2026-44364

Code Behaviors & Features

Detect and mitigate CVE-2026-44364 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →