Security Advisory - Published 2026-06-13 - PHP / Threat Intel
MISP CVE-2026-54360 and jmespath.php CVE-2026-54133: owner-side checks
These two PHP findings hit different stacks. MISP operators should review sharing group creation and ownership changes. PHP apps using jmespath.php should check whether untrusted expressions ever reach the compiler runtime.
Checks to run
# MISP deployment
git -C /var/www/MISP rev-parse --short HEAD 2>/dev/null
grep -Rni "sharing group\\|SharingGroup" /var/www/MISP/app/tmp/logs 2>/dev/null | tail -100
# PHP apps using jmespath.php
composer show jmespath/jmespath.php
grep -Rni "CompilerRuntime\\|JP_PHP_COMPILE\\|JmesPath" . --include="*.php" --include="composer.lock" For jmespath.php, the safer path for untrusted expressions is the non-compiler runtime. Patch to 2.9.1 or later, and remove compiler runtime use from any route that accepts user-controlled expressions.
Review after patching
- MISP: sharing groups with unexpected IDs, owners, organizations, or membership changes.
- MISP: events or attributes that became visible to a broader group than intended.
- jmespath.php: generated PHP cache files, unusual write locations, or application errors around expression parsing.
- PHP hosts: new files under cache/temp directories after requests containing filter or query expressions.
Ping7 repair path
Ping7 can review MISP sharing boundaries, PHP dependency versions, generated cache files, and logs. Use CVE Repair if a public API accepts expressions or a MISP instance stores sensitive threat-intelligence data.