CVE-2026-62143
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-918
Falsificación de solicitud en servidor (SSRF)
Fecha de publicación:
13/07/2026
Última modificación:
14/07/2026
Descripción
*** Pendiente de traducción *** A Server-Side Request Forgery (SSRF) protection bypass existed in the html_to_markdown expansion module of misp-modules.<br />
<br />
The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges without first normalising IPv4-mapped IPv6 addresses.<br />
<br />
An authenticated attacker able to invoke the module could supply an IPv4-mapped IPv6 address, such as:<br />
<br />
http://[::ffff:127.0.0.1]/<br />
http://[::ffff:169.254.169.254]/<br />
<br />
Alternatively, the attacker could use a hostname that resolves to an IPv4-mapped IPv6 address. These addresses were treated as IPv6 addresses and therefore did not match the corresponding blocked IPv4 ranges.<br />
<br />
Successful exploitation could cause the misp-modules server to connect to services available through its loopback interface, internal network, or link-local network. This could expose internal web services, administrative interfaces, or cloud instance metadata, with retrieved content potentially returned to the attacker as converted Markdown.<br />
<br />
The vulnerability has been addressed by normalising IPv4-mapped IPv6 addresses to their underlying IPv4 representation before applying the blocked-range checks. URLs without a valid hostname are now also rejected.



