GCVE-1-2026-0017
Vulnerability from gna-1 – Published: 2026-02-27 13:10 – Updated: 2026-02-27 13:10
VLAI?
Title
Improper Neutralization of Raw HTML in MISP modules Markdown-to-PDF Module Leads to HTML Injection
Summary
An improper neutralization of input in the convert_markdown_to_pdf expansion module of MISP Modules allows an attacker who can supply Markdown to include raw HTML blocks that are preserved by Pandoc during Markdown-to-PDF conversion. When the PDF is generated, the embedded HTML may be interpreted by the rendering pipeline, resulting in HTML injection into the produced PDF and potentially server-side network requests and/or local file disclosure depending on the configured PDF engine. This issue is fixed by sanitizing Pandoc AST RawBlock elements with HTML format into literal code blocks (commit 6644c3d074d898492255e9de5f32a52667ac6d85).
Severity ?
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misp | misp-modules |
Affected:
≤ 3.0.5
|
Credits
Sami Mokaddem
Maxime ESCOURBIAC from Michelin CERT
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp-modules",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "3.0.5",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Sami Mokaddem"
},
{
"lang": "en",
"type": "finder",
"value": "Maxime ESCOURBIAC from Michelin CERT"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of input in the \u003ccode\u003econvert_markdown_to_pdf\u003c/code\u003e expansion module of MISP Modules allows an attacker who can supply Markdown to include \u003cstrong\u003eraw HTML blocks\u003c/strong\u003e that are preserved by Pandoc during Markdown-to-PDF conversion. When the PDF is generated, the embedded HTML may be interpreted by the rendering pipeline, resulting in \u003cstrong\u003eHTML injection into the produced PDF\u003c/strong\u003e and potentially \u003cstrong\u003eserver-side network requests and/or local file disclosure\u003c/strong\u003e depending on the configured PDF engine. This issue is fixed by sanitizing Pandoc AST \u003ccode\u003eRawBlock\u003c/code\u003e elements with HTML format into literal code blocks (commit \u003ccode\u003e6644c3d074d898492255e9de5f32a52667ac6d85\u003c/code\u003e)."
}
],
"value": "An improper neutralization of input in the convert_markdown_to_pdf expansion module of MISP Modules allows an attacker who can supply Markdown to include raw HTML blocks that are preserved by Pandoc during Markdown-to-PDF conversion. When the PDF is generated, the embedded HTML may be interpreted by the rendering pipeline, resulting in HTML injection into the produced PDF and potentially server-side network requests and/or local file disclosure depending on the configured PDF engine. This issue is fixed by sanitizing Pandoc AST RawBlock elements with HTML format into literal code blocks (commit 6644c3d074d898492255e9de5f32a52667ac6d85)."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP-modules/commit/6644c3d074d898492255e9de5f32a52667ac6d85"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Raw HTML in MISP modules Markdown-to-PDF Module Leads to HTML Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-02-27T13:10:24.641948Z",
"dateUpdated": "2026-02-27T13:10:24.641948Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-0017",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-02-27T13:10:24.641948Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…