Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-62143

Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-918 Falsificación de solicitud en servidor (SSRF)
Fecha de publicación:
13/07/2026
Última modificación:
14/07/2026

Descripción

*** Pendiente de traducción *** A Server-Side Request Forgery (SSRF) protection bypass existed in the html_to_markdown expansion module of misp-modules.<br /> <br /> The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges without first normalising IPv4-mapped IPv6 addresses.<br /> <br /> An authenticated attacker able to invoke the module could supply an IPv4-mapped IPv6 address, such as:<br /> <br /> http://[::ffff:127.0.0.1]/<br /> http://[::ffff:169.254.169.254]/<br /> <br /> Alternatively, the attacker could use a hostname that resolves to an IPv4-mapped IPv6 address. These addresses were treated as IPv6 addresses and therefore did not match the corresponding blocked IPv4 ranges.<br /> <br /> Successful exploitation could cause the misp-modules server to connect to services available through its loopback interface, internal network, or link-local network. This could expose internal web services, administrative interfaces, or cloud instance metadata, with retrieved content potentially returned to the attacker as converted Markdown.<br /> <br /> The vulnerability has been addressed by normalising IPv4-mapped IPv6 addresses to their underlying IPv4 representation before applying the blocked-range checks. URLs without a valid hostname are now also rejected.