Search criteria
216 vulnerabilities found for misp by misp
CVE-2026-44381 (GCVE-0-2026-44381)
Vulnerability from nvd – Published: 2026-05-13 20:50 – Updated: 2026-05-14 15:53
VLAI?
Title
MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings
Summary
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:51:53.243137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:53:03.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:50:04.152Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MISP/MISP/security/advisories/GHSA-4cxp-22wm-j6jr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MISP/MISP/security/advisories/GHSA-4cxp-22wm-j6jr"
}
],
"source": {
"advisory": "GHSA-4cxp-22wm-j6jr",
"discovery": "UNKNOWN"
},
"title": "MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44381",
"datePublished": "2026-05-13T20:50:04.152Z",
"dateReserved": "2026-05-05T20:15:20.632Z",
"dateUpdated": "2026-05-14T15:53:03.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44380 (GCVE-0-2026-44380)
Vulnerability from nvd – Published: 2026-05-13 20:51 – Updated: 2026-05-14 19:52
VLAI?
Title
MISP: Improper access control in auth key reset allows privilege escalation to site administrator
Summary
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T16:05:19.358078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:52:16.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:51:30.955Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MISP/MISP/security/advisories/GHSA-3939-4g6m-m3hc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MISP/MISP/security/advisories/GHSA-3939-4g6m-m3hc"
}
],
"source": {
"advisory": "GHSA-3939-4g6m-m3hc",
"discovery": "UNKNOWN"
},
"title": "MISP: Improper access control in auth key reset allows privilege escalation to site administrator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44380",
"datePublished": "2026-05-13T20:51:30.955Z",
"dateReserved": "2026-05-05T20:15:20.632Z",
"dateUpdated": "2026-05-14T19:52:16.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44379 (GCVE-0-2026-44379)
Vulnerability from nvd – Published: 2026-05-13 20:53 – Updated: 2026-05-14 12:57
VLAI?
Title
MISP: Improper UUID validation in MISP Collections
Summary
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers. This vulnerability is fixed in 2.5.37.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/MISP/MISP/commit/f8b20358c3cd8… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:57:25.706804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:57:42.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers. This vulnerability is fixed in 2.5.37."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:53:36.024Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MISP/MISP/security/advisories/GHSA-jrvj-84mg-8f29",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MISP/MISP/security/advisories/GHSA-jrvj-84mg-8f29"
},
{
"name": "https://github.com/MISP/MISP/commit/f8b20358c3cd8fd3d784452901876f2db0acbf05",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/commit/f8b20358c3cd8fd3d784452901876f2db0acbf05"
}
],
"source": {
"advisory": "GHSA-jrvj-84mg-8f29",
"discovery": "UNKNOWN"
},
"title": "MISP: Improper UUID validation in MISP Collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44379",
"datePublished": "2026-05-13T20:53:36.024Z",
"dateReserved": "2026-05-05T20:15:20.631Z",
"dateUpdated": "2026-05-14T12:57:42.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8080 (GCVE-0-2026-8080)
Vulnerability from nvd – Published: 2026-05-07 12:07 – Updated: 2026-05-07 14:57
VLAI?
Title
MISP core - Stored XSS in MISP template (old engine) element attribute type
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS.
This issue affects MISP before 2.5.37.
A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value.
This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/62824e5ca0056… | patch |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:47:09.800042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:57:26.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.37",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Luciano Righetti"
},
{
"lang": "en",
"type": "finder",
"value": "Bj\u00f8rn Helseth (TV 2 Norway)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in misp allows Stored XSS.\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects MISP before 2.5.37.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eA stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the \u003ccode\u003eTemplateElementAttribute\u003c/code\u003e \u003ccode\u003etype\u003c/code\u003e and \u003ccode\u003ecategory\u003c/code\u003e fields without validating them against the known MISP attribute type and category definitions.\u0026nbsp;An attacker with permission to create or modify template element attributes could store a crafted \u003ccode\u003etype\u003c/code\u003e value.\u003c/p\u003e\u003cbr\u003eThis affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in misp allows Stored XSS.\n\n\n\n\n\n\nThis issue affects MISP before 2.5.37.\n\n\n\n\nA stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions.\u00a0An attacker with permission to create or modify template element attributes could store a crafted type value.\n\n\nThis affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T12:07:59.273Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MISP core - Stored XSS in MISP template (old engine) element attribute type",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-8080",
"datePublished": "2026-05-07T12:07:59.273Z",
"dateReserved": "2026-05-07T12:05:55.978Z",
"dateUpdated": "2026-05-07T14:57:26.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39962 (GCVE-0-2026-39962)
Vulnerability from nvd – Published: 2026-04-09 16:37 – Updated: 2026-04-10 14:07
VLAI?
Title
LDAP injection in MISP ApacheAuthenticate when using a user-controlled Apache environment variable
Summary
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.
Severity ?
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/MISP/MISP/commit/380ee4136a7d9… | x_refsource_MISC |
| https://github.com/MISP/MISP/commit/d7d671ea8f582… | x_refsource_MISC |
| https://github.com/MISP/MISP/releases/tag/v2.5.36 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T14:06:56.445635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T14:07:02.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.36"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:37:38.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MISP/MISP/security/advisories/GHSA-mc53-48w8-9g63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MISP/MISP/security/advisories/GHSA-mc53-48w8-9g63"
},
{
"name": "https://github.com/MISP/MISP/commit/380ee4136a7d9ce2fe63fce06d517839f30aba10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/commit/380ee4136a7d9ce2fe63fce06d517839f30aba10"
},
{
"name": "https://github.com/MISP/MISP/commit/d7d671ea8f5822e91207dcad2003c35c30092a32",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/commit/d7d671ea8f5822e91207dcad2003c35c30092a32"
},
{
"name": "https://github.com/MISP/MISP/releases/tag/v2.5.36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/releases/tag/v2.5.36"
}
],
"source": {
"advisory": "GHSA-mc53-48w8-9g63",
"discovery": "UNKNOWN"
},
"title": "LDAP injection in MISP ApacheAuthenticate when using a user-controlled Apache environment variable"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39962",
"datePublished": "2026-04-09T16:37:38.880Z",
"dateReserved": "2026-04-07T22:40:33.822Z",
"dateUpdated": "2026-04-10T14:07:02.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67906 (GCVE-0-2025-67906)
Vulnerability from nvd – Published: 2025-12-15 03:25 – Updated: 2025-12-21 01:07
VLAI?
Summary
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67906",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T16:04:07.901652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T16:04:11.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/franckferman/CVE-2025-67906"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"lessThan": "2.5.28",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.5.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-21T01:07:34.796Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054"
},
{
"url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0031"
},
{
"url": "https://github.com/franckferman/GCVE-1-2025-0030"
},
{
"url": "https://github.com/MISP/MISP/compare/v2.5.27...v2.5.28"
},
{
"url": "https://github.com/franckferman/CVE-2025-67906"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-67906",
"datePublished": "2025-12-15T03:25:46.324Z",
"dateReserved": "2025-12-15T03:25:45.994Z",
"dateUpdated": "2025-12-21T01:07:34.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44379 (GCVE-0-2026-44379)
Vulnerability from cvelistv5 – Published: 2026-05-13 20:53 – Updated: 2026-05-14 12:57
VLAI?
Title
MISP: Improper UUID validation in MISP Collections
Summary
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers. This vulnerability is fixed in 2.5.37.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/MISP/MISP/commit/f8b20358c3cd8… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:57:25.706804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:57:42.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers. This vulnerability is fixed in 2.5.37."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:53:36.024Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MISP/MISP/security/advisories/GHSA-jrvj-84mg-8f29",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MISP/MISP/security/advisories/GHSA-jrvj-84mg-8f29"
},
{
"name": "https://github.com/MISP/MISP/commit/f8b20358c3cd8fd3d784452901876f2db0acbf05",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/commit/f8b20358c3cd8fd3d784452901876f2db0acbf05"
}
],
"source": {
"advisory": "GHSA-jrvj-84mg-8f29",
"discovery": "UNKNOWN"
},
"title": "MISP: Improper UUID validation in MISP Collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44379",
"datePublished": "2026-05-13T20:53:36.024Z",
"dateReserved": "2026-05-05T20:15:20.631Z",
"dateUpdated": "2026-05-14T12:57:42.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44380 (GCVE-0-2026-44380)
Vulnerability from cvelistv5 – Published: 2026-05-13 20:51 – Updated: 2026-05-14 19:52
VLAI?
Title
MISP: Improper access control in auth key reset allows privilege escalation to site administrator
Summary
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T16:05:19.358078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:52:16.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:51:30.955Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MISP/MISP/security/advisories/GHSA-3939-4g6m-m3hc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MISP/MISP/security/advisories/GHSA-3939-4g6m-m3hc"
}
],
"source": {
"advisory": "GHSA-3939-4g6m-m3hc",
"discovery": "UNKNOWN"
},
"title": "MISP: Improper access control in auth key reset allows privilege escalation to site administrator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44380",
"datePublished": "2026-05-13T20:51:30.955Z",
"dateReserved": "2026-05-05T20:15:20.632Z",
"dateUpdated": "2026-05-14T19:52:16.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44381 (GCVE-0-2026-44381)
Vulnerability from cvelistv5 – Published: 2026-05-13 20:50 – Updated: 2026-05-14 15:53
VLAI?
Title
MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings
Summary
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:51:53.243137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:53:03.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:50:04.152Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MISP/MISP/security/advisories/GHSA-4cxp-22wm-j6jr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MISP/MISP/security/advisories/GHSA-4cxp-22wm-j6jr"
}
],
"source": {
"advisory": "GHSA-4cxp-22wm-j6jr",
"discovery": "UNKNOWN"
},
"title": "MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44381",
"datePublished": "2026-05-13T20:50:04.152Z",
"dateReserved": "2026-05-05T20:15:20.632Z",
"dateUpdated": "2026-05-14T15:53:03.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8080 (GCVE-0-2026-8080)
Vulnerability from cvelistv5 – Published: 2026-05-07 12:07 – Updated: 2026-05-07 14:57
VLAI?
Title
MISP core - Stored XSS in MISP template (old engine) element attribute type
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS.
This issue affects MISP before 2.5.37.
A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value.
This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/62824e5ca0056… | patch |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:47:09.800042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:57:26.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.37",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Luciano Righetti"
},
{
"lang": "en",
"type": "finder",
"value": "Bj\u00f8rn Helseth (TV 2 Norway)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in misp allows Stored XSS.\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects MISP before 2.5.37.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eA stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the \u003ccode\u003eTemplateElementAttribute\u003c/code\u003e \u003ccode\u003etype\u003c/code\u003e and \u003ccode\u003ecategory\u003c/code\u003e fields without validating them against the known MISP attribute type and category definitions.\u0026nbsp;An attacker with permission to create or modify template element attributes could store a crafted \u003ccode\u003etype\u003c/code\u003e value.\u003c/p\u003e\u003cbr\u003eThis affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in misp allows Stored XSS.\n\n\n\n\n\n\nThis issue affects MISP before 2.5.37.\n\n\n\n\nA stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions.\u00a0An attacker with permission to create or modify template element attributes could store a crafted type value.\n\n\nThis affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T12:07:59.273Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MISP core - Stored XSS in MISP template (old engine) element attribute type",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-8080",
"datePublished": "2026-05-07T12:07:59.273Z",
"dateReserved": "2026-05-07T12:05:55.978Z",
"dateUpdated": "2026-05-07T14:57:26.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39962 (GCVE-0-2026-39962)
Vulnerability from cvelistv5 – Published: 2026-04-09 16:37 – Updated: 2026-04-10 14:07
VLAI?
Title
LDAP injection in MISP ApacheAuthenticate when using a user-controlled Apache environment variable
Summary
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.
Severity ?
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/MISP/MISP/commit/380ee4136a7d9… | x_refsource_MISC |
| https://github.com/MISP/MISP/commit/d7d671ea8f582… | x_refsource_MISC |
| https://github.com/MISP/MISP/releases/tag/v2.5.36 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T14:06:56.445635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T14:07:02.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.36"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:37:38.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MISP/MISP/security/advisories/GHSA-mc53-48w8-9g63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MISP/MISP/security/advisories/GHSA-mc53-48w8-9g63"
},
{
"name": "https://github.com/MISP/MISP/commit/380ee4136a7d9ce2fe63fce06d517839f30aba10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/commit/380ee4136a7d9ce2fe63fce06d517839f30aba10"
},
{
"name": "https://github.com/MISP/MISP/commit/d7d671ea8f5822e91207dcad2003c35c30092a32",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/commit/d7d671ea8f5822e91207dcad2003c35c30092a32"
},
{
"name": "https://github.com/MISP/MISP/releases/tag/v2.5.36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/releases/tag/v2.5.36"
}
],
"source": {
"advisory": "GHSA-mc53-48w8-9g63",
"discovery": "UNKNOWN"
},
"title": "LDAP injection in MISP ApacheAuthenticate when using a user-controlled Apache environment variable"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39962",
"datePublished": "2026-04-09T16:37:38.880Z",
"dateReserved": "2026-04-07T22:40:33.822Z",
"dateUpdated": "2026-04-10T14:07:02.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67906 (GCVE-0-2025-67906)
Vulnerability from cvelistv5 – Published: 2025-12-15 03:25 – Updated: 2025-12-21 01:07
VLAI?
Summary
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67906",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T16:04:07.901652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T16:04:11.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/franckferman/CVE-2025-67906"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"lessThan": "2.5.28",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.5.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-21T01:07:34.796Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054"
},
{
"url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0031"
},
{
"url": "https://github.com/franckferman/GCVE-1-2025-0030"
},
{
"url": "https://github.com/MISP/MISP/compare/v2.5.27...v2.5.28"
},
{
"url": "https://github.com/franckferman/CVE-2025-67906"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-67906",
"datePublished": "2025-12-15T03:25:46.324Z",
"dateReserved": "2025-12-15T03:25:45.994Z",
"dateUpdated": "2025-12-21T01:07:34.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GCVE-1-2026-0032 (CVE-2026-8080)
Vulnerability from gna-1 – Published: 2026-05-07 12:09 – Updated: 2026-05-07 12:09
VLAI?
Title
MISP core - Stored XSS in MISP template (old engine) element attribute type
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS.This issue affects MISP before 2.5.37.
A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value.
This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/62824e5ca0056… | patchLuciano Righetti |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.37",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Luciano Righetti"
},
{
"lang": "en",
"type": "finder",
"value": "Bj\u00f8rn Helseth (TV 2 Norway)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in misp allows Stored XSS.\u003cp\u003eThis issue affects MISP before 2.5.37.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eA stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the \u003ccode\u003eTemplateElementAttribute\u003c/code\u003e \u003ccode\u003etype\u003c/code\u003e and \u003ccode\u003ecategory\u003c/code\u003e fields without validating them against the known MISP attribute type and category definitions.\u0026nbsp;An attacker with permission to create or modify template element attributes could store a crafted \u003ccode\u003etype\u003c/code\u003e value.\u003c/p\u003e\u003cbr\u003eThis affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in misp allows Stored XSS.This issue affects MISP before 2.5.37.\n\n\nA stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions.\u00a0An attacker with permission to create or modify template element attributes could store a crafted type value.\n\n\nThis affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch",
"Luciano Righetti"
],
"url": "https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP core - Stored XSS in MISP template (old engine) element attribute type",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0032"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2026-8080",
"datePublished": "2026-05-07T12:09:04.093898Z",
"dateUpdated": "2026-05-07T12:09:04.093898Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0032",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-05-07T12:09:04.093898Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0031 (CVE-2026-44381)
Vulnerability from gna-1 – Published: 2026-04-29 20:14 – Updated: 2026-05-06 16:00
VLAI?
Title
MISP - SQL injection via unvalidated ordering parameters in event and shadow attribute listings
Summary
A SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name.
An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact.
The issue was fixed by removing direct use of the user-supplied order parameter, validating requested ordering fields against allowed model fields or the model schema, and constructing the order clause using validated field names and normalized sort directions only.
Severity ?
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/53fc6be7da1c0… | pat |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.37",
"status": "affected",
"version": "0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Jeroen Gui"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted \u003ccode\u003eorder\u003c/code\u003e or \u003ccode\u003esort\u003c/code\u003e values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name.\u003c/p\u003e\n\u003cp\u003eAn attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact.\u003c/p\u003e\n\u003cp\u003eThe issue was fixed by removing direct use of the user-supplied \u003ccode\u003eorder\u003c/code\u003e parameter, validating requested ordering fields against allowed model fields or the model schema, and constructing the order clause using validated field names and normalized sort directions only.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name.\n\n\nAn attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact.\n\n\nThe issue was fixed by removing direct use of the user-supplied order parameter, validating requested ordering fields against allowed model fields or the model schema, and constructing the order clause using validated field names and normalized sort directions only."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"pat"
],
"url": "https://github.com/MISP/MISP/commit/53fc6be7da1c010ca4696a37c6e27bb699377efa"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP - SQL injection via unvalidated ordering parameters in event and shadow attribute listings",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0031"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2026-44381",
"datePublished": "2026-04-29T20:14:00.000Z",
"dateUpdated": "2026-05-06T16:00:13.755114Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0031",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-04-29T20:14:47.117221Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-05-06T16:00:13.755114Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0030 (CVE-2026-44380)
Vulnerability from gna-1 – Published: 2026-04-29 20:10 – Updated: 2026-05-06 16:01
VLAI?
Title
MISP - Improper access control in auth key reset allows privilege escalation to site administrator
Summary
An improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. The issue is fixed by preventing non-site administrators from viewing or resetting authentication keys associated with site administrator roles.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/cb4048873ca93… | patch |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "\u003c2.5.37",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Jeroen Gui"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. The issue is fixed by preventing non-site administrators from viewing or resetting authentication keys associated with site administrator roles."
}
],
"value": "An improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. The issue is fixed by preventing non-site administrators from viewing or resetting authentication keys associated with site administrator roles."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/cb4048873ca934855007406b87ae0d124f50224a"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP - Improper access control in auth key reset allows privilege escalation to site administrator",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0030"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2026-44380",
"datePublished": "2026-04-29T20:10:00.000Z",
"dateUpdated": "2026-05-06T16:01:17.334511Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0030",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-04-29T20:10:32.991353Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-05-06T16:01:17.334511Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0029 (CVE-2026-44379)
Vulnerability from gna-1 – Published: 2026-04-29 20:03 – Updated: 2026-05-06 16:01
VLAI?
Title
Improper UUID validation in MISP Collections
Summary
MISP Collections did not enforce RFC 4122 UUID validation on the `uuid` field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers.
The issue has been fixed by adding model-level validation for the Collection `uuid` field. The field is now required to match a valid RFC 4122 UUID before being accepted. The fix was committed in `f8b20358c3cd8fd3d784452901876f2db0acbf05` and is included in MISP v2.5.37.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/f8b20358c3cd8… | patch |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.37",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MISP Collections did not enforce RFC 4122 UUID validation on the `uuid` field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers.\u003cbr\u003e\u003cbr\u003eThe issue has been fixed by adding model-level validation for the Collection `uuid` field. The field is now required to match a valid RFC 4122 UUID before being accepted. The fix was committed in `f8b20358c3cd8fd3d784452901876f2db0acbf05` and is included in MISP v2.5.37."
}
],
"value": "MISP Collections did not enforce RFC 4122 UUID validation on the `uuid` field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers.\n\nThe issue has been fixed by adding model-level validation for the Collection `uuid` field. The field is now required to match a valid RFC 4122 UUID before being accepted. The fix was committed in `f8b20358c3cd8fd3d784452901876f2db0acbf05` and is included in MISP v2.5.37."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/f8b20358c3cd8fd3d784452901876f2db0acbf05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper UUID validation in MISP Collections",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0029"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2026-44379",
"datePublished": "2026-04-29T20:03:00.000Z",
"dateUpdated": "2026-05-06T16:01:52.283022Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0029",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-04-29T20:03:59.892100Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-05-06T16:01:52.283022Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0024 (CVE-2026-39962)
Vulnerability from gna-1 – Published: 2026-04-08 08:28 – Updated: 2026-04-09 04:44
VLAI?
Title
LDAP injection in MISP ApacheAuthenticate when using a user-controlled Apache environment variable
Summary
Improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/d7d671ea8f582… | patch |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.36",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ayush Parkara"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Luciano Righetti"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/d7d671ea8f5822e91207dcad2003c35c30092a32"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "LDAP injection in MISP ApacheAuthenticate when using a user-controlled Apache environment variable",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0024"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2026-39962",
"datePublished": "2026-04-08T08:28:00.000Z",
"dateUpdated": "2026-04-09T04:44:04.936665Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0024",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-04-08T08:28:26.044700Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-04-09T04:44:04.936665Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0022
Vulnerability from gna-1 – Published: 2026-03-30 09:48 – Updated: 2026-03-30 09:48
VLAI?
Title
MISP - Beta Overmind UI Stored Cross-Site Scripting in Galaxy and Comment Fields
Summary
Stored XSS in the Overmind UI (not enabled by default) due to missing output escaping of galaxy cluster values and attribute comments, allowing malicious JavaScript execution when crafted content is viewed.
This issue affects misp: from 2.5.30 through 2.5.35 in the beta UI.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/b9bc50c715a1e… | patch |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "2.5.35",
"status": "affected",
"version": "2.5.30",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bilal Teke"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Thomas Lacroix"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nStored XSS in the Overmind UI (not enabled by default) due to missing output escaping of galaxy cluster values and attribute comments, allowing malicious JavaScript execution when crafted content is viewed.\u003cbr\u003e\u003cp\u003eThis issue affects misp: from 2.5.30 through 2.5.35 in the beta UI.\u003c/p\u003e"
}
],
"value": "Stored XSS in the Overmind UI (not enabled by default) due to missing output escaping of galaxy cluster values and attribute comments, allowing malicious JavaScript execution when crafted content is viewed.\nThis issue affects misp: from 2.5.30 through 2.5.35 in the beta UI."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/b9bc50c715a1e886889f063f14dec1a26e442227"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP - Beta Overmind UI Stored Cross-Site Scripting in Galaxy and Comment Fields",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0022"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-03-30T09:48:36.968649Z",
"dateUpdated": "2026-03-30T09:48:36.968649Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0022",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-03-30T09:48:36.968649Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0019
Vulnerability from gna-1 – Published: 2026-02-27 14:55 – Updated: 2026-02-27 15:44
VLAI?
Title
Improper URL validation in MISP dashboard button widget allows external redirection
Summary
A vulnerability in the dashboard button widget component allows improper handling of user-supplied URLs, which could lead to unintended redirection to external websites.
Prior to the fix, the application directly embedded a user-controlled url parameter into an HTML anchor element without validating whether the target was a local path. An attacker able to influence widget configuration could supply a crafted URL containing an external scheme or host, causing users to be redirected to attacker-controlled websites when clicking the dashboard button.
The issue results from insufficient validation of URL components before rendering the link. The patch introduces strict parsing and validation using parse_url() to ensure that only relative paths beginning with / are accepted and rejects URLs containing a scheme, host, or user component.
If an invalid URL is detected, the application now renders a non-clickable button instead of a link.
Severity ?
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/f02dafd508699… | patch |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "2.5.32",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Sami Mokaddem"
},
{
"lang": "en",
"type": "finder",
"value": "Maxime ESCOURBIAC from Michelin CERT"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the dashboard button widget component allows improper handling of user-supplied URLs, which could lead to unintended redirection to external websites.\u003c/p\u003e\n\u003cp\u003ePrior to the fix, the application directly embedded a user-controlled \u003ccode\u003eurl\u003c/code\u003e parameter into an HTML anchor element without validating whether the target was a local path. An attacker able to influence widget configuration could supply a crafted URL containing an external scheme or host, causing users to be redirected to attacker-controlled websites when clicking the dashboard button.\u003c/p\u003e\n\u003cp\u003eThe issue results from insufficient validation of URL components before rendering the link. The patch introduces strict parsing and validation using \u003ccode\u003eparse_url()\u003c/code\u003e to ensure that only relative paths beginning with \u003ccode\u003e/\u003c/code\u003e are accepted and rejects URLs containing a scheme, host, or user component.\u003c/p\u003e\n\u003cp\u003eIf an invalid URL is detected, the application now renders a non-clickable button instead of a link.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability in the dashboard button widget component allows improper handling of user-supplied URLs, which could lead to unintended redirection to external websites.\n\n\nPrior to the fix, the application directly embedded a user-controlled url parameter into an HTML anchor element without validating whether the target was a local path. An attacker able to influence widget configuration could supply a crafted URL containing an external scheme or host, causing users to be redirected to attacker-controlled websites when clicking the dashboard button.\n\n\nThe issue results from insufficient validation of URL components before rendering the link. The patch introduces strict parsing and validation using parse_url() to ensure that only relative paths beginning with / are accepted and rejects URLs containing a scheme, host, or user component.\n\n\nIf an invalid URL is detected, the application now renders a non-clickable button instead of a link."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/f02dafd5086990c6396524ed37ee76d07f23b854"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper URL validation in MISP dashboard button widget allows external redirection",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0019"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-02-27T14:55:00.000Z",
"dateUpdated": "2026-02-27T15:44:29.998063Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-0019",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-02-27T14:55:29.840231Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-02-27T15:44:29.998063Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0018
Vulnerability from gna-1 – Published: 2026-02-27 13:25 – Updated: 2026-02-27 13:25
VLAI?
Title
Improper access control in MISP user contact form allows cross-organisation email targeting
Summary
A flaw in the admin_email() action allowed a non–site-admin user to submit the contact/email form in a way that bypassed intended organisation restrictions. The server-side logic did not sufficiently verify that the recipient organisation provided in the request was one the user was authorized to target. As a result, an authenticated user could potentially send emails to users outside their own organisation by manipulating the recipient organisation selection (e.g., by tampering with request parameters).
Severity ?
CWE
Assigner
References
1 reference
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "2.5.",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Maxime ESCOURBIAC from Michelin CERT"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sami Mokaddem"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A flaw in the \u003ccode\u003eadmin_email()\u003c/code\u003e action allowed a non\u2013site-admin user to submit the contact/email form in a way that bypassed intended organisation restrictions. The server-side logic did not sufficiently verify that the recipient organisation provided in the request was one the user was authorized to target. As a result, an authenticated user could potentially send emails to users outside their own organisation by manipulating the recipient organisation selection (e.g., by tampering with request parameters)."
}
],
"value": "A flaw in the admin_email() action allowed a non\u2013site-admin user to submit the contact/email form in a way that bypassed intended organisation restrictions. The server-side logic did not sufficiently verify that the recipient organisation provided in the request was one the user was authorized to target. As a result, an authenticated user could potentially send emails to users outside their own organisation by manipulating the recipient organisation selection (e.g., by tampering with request parameters)."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/c7c11678dcb4f7040d3dab1f7af6b011fc3fd568"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper access control in MISP user contact form allows cross-organisation email targeting",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0018"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-02-27T13:25:32.632362Z",
"dateUpdated": "2026-02-27T13:25:32.632362Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0018",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-02-27T13:25:32.632362Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0016
Vulnerability from gna-1 – Published: 2026-02-27 10:56 – Updated: 2026-02-27 10:56
VLAI?
Title
Server-Side Request Forgery via Event Report Import From URL in MISP
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the Event Report import from URL functionality of MISP prior to the fix introduced in commit `71fb543a1929de73a53a8ce645cb446f684ec243`.
The `importReportFromUrl` endpoint allowed authenticated users with sufficient privileges to instruct the MISP server to fetch content from arbitrary URLs without explicit administrator opt-in. Because requests were performed by the server itself, an attacker could cause the application to initiate HTTP requests to internal or otherwise restricted network resources.
This behavior could allow access to internal services reachable from the MISP host, potentially exposing sensitive information or enabling further network pivoting.
The issue has been addressed by gating the functionality behind a new configuration setting:
The feature is now disabled by default and must be explicitly enabled by an administrator. Additional UI and server-side checks were added to prevent access when the setting is not enabled.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/71fb543a1929d… | patch |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "2.5.32",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Sami Mokaddem"
},
{
"lang": "en",
"type": "finder",
"value": "Maxime ESCOURBIAC from Michelin CERT"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A Server-Side Request Forgery (SSRF) vulnerability exists in the\u0026nbsp;\u003ci\u003eEvent Report import from URL\u003c/i\u003e functionality of MISP prior to the fix introduced in commit `\u003ctt\u003e71fb543a1929de73a53a8ce645cb446f684ec243\u003c/tt\u003e`.\u003cbr\u003e\u003cbr\u003eThe `\u003ctt\u003eimportReportFromUrl\u003c/tt\u003e` endpoint allowed authenticated users with sufficient privileges to instruct the MISP server to fetch content from arbitrary URLs without explicit administrator opt-in. Because requests were performed by the server itself, an attacker could cause the application to initiate HTTP requests to internal or otherwise restricted network resources.\u003cbr\u003e\u003cbr\u003eThis behavior could allow access to internal services reachable from the MISP host, potentially exposing sensitive information or enabling further network pivoting.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eThe issue has been addressed by gating the functionality behind a new configuration setting:\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe feature is now disabled by default and must be explicitly enabled by an administrator. Additional UI and server-side checks were added to prevent access when the setting is not enabled.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A Server-Side Request Forgery (SSRF) vulnerability exists in the\u00a0Event Report import from URL functionality of MISP prior to the fix introduced in commit `71fb543a1929de73a53a8ce645cb446f684ec243`.\n\nThe `importReportFromUrl` endpoint allowed authenticated users with sufficient privileges to instruct the MISP server to fetch content from arbitrary URLs without explicit administrator opt-in. Because requests were performed by the server itself, an attacker could cause the application to initiate HTTP requests to internal or otherwise restricted network resources.\n\nThis behavior could allow access to internal services reachable from the MISP host, potentially exposing sensitive information or enabling further network pivoting.\n\nThe issue has been addressed by gating the functionality behind a new configuration setting:\n\n\n\n\nThe feature is now disabled by default and must be explicitly enabled by an administrator. Additional UI and server-side checks were added to prevent access when the setting is not enabled."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:L/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/71fb543a1929de73a53a8ce645cb446f684ec243"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery via Event Report Import From URL in MISP",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0016"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-02-27T10:56:32.745676Z",
"dateUpdated": "2026-02-27T10:56:32.745676Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-0016",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-02-27T10:56:32.745676Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0003
Vulnerability from gna-1 – Published: 2026-01-13 10:50 – Updated: 2026-01-13 10:54
VLAI?
Title
Stored/Reflected XSS via Unsanitized Parameters in URL Generation and JavaScript Context
Summary
A cross-site scripting (XSS) vulnerability exists in the web application due to improper sanitization of user-controlled input when generating URLs and embedding parameters into JavaScript contexts.
In app/View/Elements/genericElements/SideMenu/side_menu.ctp, the $id parameter was passed directly into a JavaScript function call without HTML escaping, allowing an attacker to inject arbitrary JavaScript code via a crafted identifier.
In app/View/Templates/ajax/template_choices.ctp, user-controlled values (Template.id, $id, and template metadata) were embedded directly into an inline onClick handler and HTML attributes without sufficient context-aware escaping, enabling XSS through crafted URLs or manipulated template data.
An attacker able to supply or influence these parameters could craft malicious links that, when clicked by a victim, execute arbitrary JavaScript in the context of the authenticated user. This could lead to session hijacking, account takeover, or unauthorized actions within the application.
The issue requires user interaction (e.g., clicking a crafted link) to be exploited.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/48e0376b535ea… | patch |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "2.5.31",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mathis Franel"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sami Mokaddem"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability exists in the web application due to improper sanitization of user-controlled input when generating URLs and embedding parameters into JavaScript contexts.\u003c/p\u003e\n\u003cp\u003eIn \u003ccode\u003eapp/View/Elements/genericElements/SideMenu/side_menu.ctp\u003c/code\u003e, the \u003ccode\u003e$id\u003c/code\u003e parameter was passed directly into a JavaScript function call without HTML escaping, allowing an attacker to inject arbitrary JavaScript code via a crafted identifier.\u003c/p\u003e\n\u003cp\u003eIn \u003ccode\u003eapp/View/Templates/ajax/template_choices.ctp\u003c/code\u003e, user-controlled values (\u003ccode\u003eTemplate.id\u003c/code\u003e, \u003ccode\u003e$id\u003c/code\u003e, and template metadata) were embedded directly into an inline \u003ccode\u003eonClick\u003c/code\u003e handler and HTML attributes without sufficient context-aware escaping, enabling XSS through crafted URLs or manipulated template data.\u003c/p\u003e\n\u003cp\u003eAn attacker able to supply or influence these parameters could craft malicious links that, when clicked by a victim, execute arbitrary JavaScript in the context of the authenticated user. This could lead to session hijacking, account takeover, or unauthorized actions within the application.\u003c/p\u003e\n\u003cp\u003eThe issue requires user interaction (e.g., clicking a crafted link) to be exploited.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability exists in the web application due to improper sanitization of user-controlled input when generating URLs and embedding parameters into JavaScript contexts.\n\n\nIn app/View/Elements/genericElements/SideMenu/side_menu.ctp, the $id parameter was passed directly into a JavaScript function call without HTML escaping, allowing an attacker to inject arbitrary JavaScript code via a crafted identifier.\n\n\nIn app/View/Templates/ajax/template_choices.ctp, user-controlled values (Template.id, $id, and template metadata) were embedded directly into an inline onClick handler and HTML attributes without sufficient context-aware escaping, enabling XSS through crafted URLs or manipulated template data.\n\n\nAn attacker able to supply or influence these parameters could craft malicious links that, when clicked by a victim, execute arbitrary JavaScript in the context of the authenticated user. This could lead to session hijacking, account takeover, or unauthorized actions within the application.\n\n\nThe issue requires user interaction (e.g., clicking a crafted link) to be exploited."
}
],
"impacts": [
{
"capecId": "CAPEC-18",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-18 XSS Targeting Non-Script Elements"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/48e0376b535ea6d26d631d8259923a29f1a6de4e"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored/Reflected XSS via Unsanitized Parameters in URL Generation and JavaScript Context",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0003"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-01-13T10:50:00.000Z",
"dateUpdated": "2026-01-13T10:54:13.659223Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0003",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-01-13T10:50:48.587127Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-01-13T10:54:13.659223Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0040
Vulnerability from gna-1 – Published: 2025-12-13 08:44 – Updated: 2025-12-13 08:44
VLAI?
Summary
A cross-site scripting (XSS) vulnerability was identified in the event index table rendering logic related to organisation logos. The issue could allow attacker-controlled organisation names to be interpreted as executable HTML/JavaScript in a victim’s browser.
The vulnerability was caused by unsafe DOM manipulation in the onError handler of <img> elements used to display organisation logos in the event index view. When an organisation logo failed to load, the application replaced the image element using outerHTML, directly injecting the organisation name into the DOM. Under certain conditions, this could allow maliciously crafted organisation names to trigger XSS.
An authenticated attacker able to control organisation metadata (such as the organisation name) could potentially execute arbitrary JavaScript in the context of another user viewing the event index page. This may lead to session hijacking, UI manipulation, or other client-side attacks.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/78b4859f1c033… | patch |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.29",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA cross-site scripting (XSS) vulnerability was identified in the event index table rendering logic related to organisation logos. The issue could allow attacker-controlled organisation names to be interpreted as executable HTML/JavaScript in a victim\u2019s browser.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe vulnerability was caused by unsafe DOM manipulation in the \u003ccode\u003eonError\u003c/code\u003e handler of \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e elements used to display organisation logos in the event index view. When an organisation logo failed to load, the application replaced the image element using \u003ccode\u003eouterHTML\u003c/code\u003e, directly injecting the organisation name into the DOM. Under certain conditions, this could allow maliciously crafted organisation names to trigger XSS.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAn authenticated attacker able to control organisation metadata (such as the organisation name) could potentially execute arbitrary JavaScript in the context of another user viewing the event index page. This may lead to session hijacking, UI manipulation, or other client-side attacks.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability was identified in the event index table rendering logic related to organisation logos. The issue could allow attacker-controlled organisation names to be interpreted as executable HTML/JavaScript in a victim\u2019s browser.\n\n\n\n\nThe vulnerability was caused by unsafe DOM manipulation in the onError handler of \u003cimg\u003e elements used to display organisation logos in the event index view. When an organisation logo failed to load, the application replaced the image element using outerHTML, directly injecting the organisation name into the DOM. Under certain conditions, this could allow maliciously crafted organisation names to trigger XSS.\n\n\n\n\nAn authenticated attacker able to control organisation metadata (such as the organisation name) could potentially execute arbitrary JavaScript in the context of another user viewing the event index page. This may lead to session hijacking, UI manipulation, or other client-side attacks."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/AU:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/78b4859f1c033e4a53cf7ba049c39c056b6810ff"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2025-0040"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-13T08:44:32.378924Z",
"dateUpdated": "2025-12-13T08:44:32.378924Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0040",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-13T08:44:32.378924Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0039
Vulnerability from gna-1 – Published: 2025-12-10 14:33 – Updated: 2025-12-10 14:33
VLAI?
Title
XSS Reintroduced in MISP Dashboard World Map Widget Due to Restored Widget Configuration Functionality
Summary
A cross-site scripting (XSS) vulnerability was identified in the MISP dashboard subsystem, specifically in the World Map dashboard widget and the supporting JavaScript logic that handles widget configuration and rendering.
A prior XSS fix related to unsafe handling of widget configuration and tooltip rendering had been in place, but the upgrade to GridStack 1.2 unintentionally broke dashboard widget configuration persistence. When the patch restored correct widget config handling, the previously mitigated XSS vector became reachable again.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/e651e606f8a2c… | patch |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability was identified in the MISP dashboard subsystem, specifically in the \u003cstrong\u003eWorld Map dashboard widget\u003c/strong\u003e and the supporting JavaScript logic that handles widget configuration and rendering.\u003c/p\u003e\n\u003cp\u003eA prior XSS fix related to unsafe handling of widget configuration and tooltip rendering had been in place, but the upgrade to \u003cstrong\u003eGridStack 1.2\u003c/strong\u003e unintentionally broke dashboard widget configuration persistence. When the patch restored correct widget config handling, the previously mitigated XSS vector became reachable again.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability was identified in the MISP dashboard subsystem, specifically in the World Map dashboard widget and the supporting JavaScript logic that handles widget configuration and rendering.\n\n\nA prior XSS fix related to unsafe handling of widget configuration and tooltip rendering had been in place, but the upgrade to GridStack 1.2 unintentionally broke dashboard widget configuration persistence. When the patch restored correct widget config handling, the previously mitigated XSS vector became reachable again."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/e651e606f8a2cb2504fc21f2c453395666b68d4f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS Reintroduced in MISP Dashboard World Map Widget Due to Restored Widget Configuration Functionality",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2025-0039"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-10T14:33:52.856734Z",
"dateUpdated": "2025-12-10T14:33:52.856734Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0039",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-10T14:33:52.856734Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0038
Vulnerability from gna-1 – Published: 2025-12-10 14:10 – Updated: 2025-12-10 14:16
VLAI?
Title
Reflected XSS in MISP Template Tag Removal and MISP Admin User Filter Handling
Summary
A cross-site scripting (XSS) vulnerability was identified in two MISP views:
*
ajaxTemplateTag.ctp
*
Users/admin_index.ctp
1. ajaxTemplateTag.ctp
The JavaScript function call used for removing a template tag included both the tag ID and tag name.
Even though the tag name was escaped with h(), its placement inside a JavaScript string literal within an HTML attribute represents a fragile construction. Under specific conditions, crafted tag names containing special characters may break out of the JavaScript context, enabling XSS. The patch removes the unsafe second parameter:
By eliminating unnecessary exposure of user-controlled data to JavaScript, the potential XSS vector is removed.
2. Users/admin_index.ctp
The admin user list view passed unescaped filter parameters into the getPopup handler.
If $urlparams contained attacker-influenced content, a crafted URL could inject JavaScript that would execute when an administrator clicked “Modify filters.”
The vulnerabilities are classified as low impact and high difficulty, as noted in the patch. Exploitation requires:
*
The attacker to create or manipulate tag names or URL parameters in specific ways.
*
An administrator to interact with the affected UI elements (e.g., clicking “Remove tag” or “Modify filters”).
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/27f65c52ab66f… | patch |
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability was identified in two MISP views:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eajaxTemplateTag.ctp\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eUsers/admin_index.ctp\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n1. \u003ccode\u003eajaxTemplateTag.ctp\u003c/code\u003e\n\u003cp\u003eThe JavaScript function call used for removing a template tag included both the tag ID and tag name.\u003c/p\u003e\u003cp\u003eEven though the tag name was escaped with \u003ccode\u003eh()\u003c/code\u003e, its placement inside a JavaScript string literal within an HTML attribute represents a fragile construction. Under specific conditions, crafted tag names containing special characters may break out of the JavaScript context, enabling XSS. The patch removes the unsafe second parameter:\u003cbr\u003e\u003c/p\u003e\u003cdiv\u003eBy eliminating unnecessary exposure of user-controlled data to JavaScript, the potential XSS vector is removed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e2. \u003ccode\u003eUsers/admin_index.ctp\u003c/code\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe admin user list view passed unescaped filter parameters into the \u003ccode\u003egetPopup\u003c/code\u003e handler.\u003cbr\u003e\u003cbr\u003eIf $urlparams contained attacker-influenced content, a crafted URL could inject JavaScript that would execute when an administrator clicked \u201cModify filters.\u201d\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThe vulnerabilities are classified as \u003cstrong\u003elow impact\u003c/strong\u003e and \u003cstrong\u003ehigh difficulty\u003c/strong\u003e, as noted in the patch. Exploitation requires:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe attacker to create or manipulate tag names or URL parameters in specific ways.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn administrator to interact with the affected UI elements (e.g., clicking \u201cRemove tag\u201d or \u201cModify filters\u201d).\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability was identified in two MISP views:\n\n\n\n * \najaxTemplateTag.ctp\n\n\n\n\n * \nUsers/admin_index.ctp\n\n\n\n\n\n\n\n1. ajaxTemplateTag.ctp\nThe JavaScript function call used for removing a template tag included both the tag ID and tag name.\n\nEven though the tag name was escaped with h(), its placement inside a JavaScript string literal within an HTML attribute represents a fragile construction. Under specific conditions, crafted tag names containing special characters may break out of the JavaScript context, enabling XSS. The patch removes the unsafe second parameter:\n\n\nBy eliminating unnecessary exposure of user-controlled data to JavaScript, the potential XSS vector is removed.\n\n\n\n\n2. Users/admin_index.ctp\n\n\n\n\nThe admin user list view passed unescaped filter parameters into the getPopup handler.\n\nIf $urlparams contained attacker-influenced content, a crafted URL could inject JavaScript that would execute when an administrator clicked \u201cModify filters.\u201d\n\n\n\n\nThe vulnerabilities are classified as low impact and high difficulty, as noted in the patch. Exploitation requires:\n\n\n\n * \nThe attacker to create or manipulate tag names or URL parameters in specific ways.\n\n\n\n\n * \nAn administrator to interact with the affected UI elements (e.g., clicking \u201cRemove tag\u201d or \u201cModify filters\u201d)."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/27f65c52ab66fdc67e86883bd7f28b02a8f24aa0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected XSS in MISP Template Tag Removal and MISP Admin User Filter Handling",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2025-0038"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-10T14:10:00.000Z",
"dateUpdated": "2025-12-10T14:16:55.918270Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0038",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-10T14:10:48.440939Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-12-10T14:16:55.918270Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0037
Vulnerability from gna-1 – Published: 2025-12-10 14:01 – Updated: 2025-12-10 14:01
VLAI?
Title
Reflected XSS in MISP Dashboard Widgets via Unescaped Base URL
Summary
A cross-site scripting (XSS) vulnerability was discovered in two dashboard widgets within the MISP application:
*
APIActivityWidget (app/Lib/Dashboard/APIActivityWidget.php)
*
LoginsWidget (app/Lib/Dashboard/LoginsWidget.php)
Both widgets construct HTML output using the instance’s base URL. While MISP.baseurl was properly HTML-escaped, the alternative configuration value MISP.external_baseurl was not escaped when read from configuration.
If an attacker with administrative privileges can set or influence the MISP.external_baseurl configuration value, they can inject arbitrary HTML or JavaScript, which will be rendered in the dashboard widgets of other site administrators. The issue was resolved by enforcing HTML escaping on the external base URL as well.
Because the affected widgets are only visible to administrators and the attack requires the attacker to already be a site administrator, the impact is limited. However, if exploited, an administrative user could inject JavaScript that executes in the browsers of other administrators viewing dashboard widgets, leading to:
*
Session hijacking within admin context (if cookies are accessible)
*
Execution of arbitrary actions as another site admin
*
Defacement or injection of misleading information into dashboards
This is considered low impact but with high exploitation requirements, as noted in the patch.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA cross-site scripting (XSS) vulnerability was discovered in two dashboard widgets within the MISP application:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eAPIActivityWidget\u003c/code\u003e (\u003ccode\u003eapp/Lib/Dashboard/APIActivityWidget.php\u003c/code\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003eLoginsWidget\u003c/code\u003e (\u003ccode\u003eapp/Lib/Dashboard/LoginsWidget.php\u003c/code\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBoth widgets construct HTML output using the instance\u2019s base URL. While \u003ccode\u003eMISP.baseurl\u003c/code\u003e was properly HTML-escaped, the alternative configuration value \u003ccode\u003eMISP.external_baseurl\u003c/code\u003e was not escaped when read from configuration.\u003c/p\u003e\u003cp\u003eIf an attacker with administrative privileges can set or influence the \u003ccode\u003eMISP.external_baseurl\u003c/code\u003e configuration value, they can inject arbitrary HTML or JavaScript, which will be rendered in the dashboard widgets of other site administrators. The issue was resolved by enforcing HTML escaping on the external base URL as well.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eBecause the affected widgets are only visible to administrators and the attack requires the attacker to already be a site administrator, the impact is limited. However, if exploited, an administrative user could inject JavaScript that executes in the browsers of other administrators viewing dashboard widgets, leading to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSession hijacking within admin context (if cookies are accessible)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eExecution of arbitrary actions as another site admin\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDefacement or injection of misleading information into dashboards\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis is considered \u003cstrong\u003elow impact\u003c/strong\u003e but with \u003cstrong\u003ehigh exploitation requirements\u003c/strong\u003e, as noted in the patch.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability was discovered in two dashboard widgets within the MISP application:\n\n\n\n * \nAPIActivityWidget (app/Lib/Dashboard/APIActivityWidget.php)\n\n\n\n\n * \nLoginsWidget (app/Lib/Dashboard/LoginsWidget.php)\n\n\n\n\n\n\n\nBoth widgets construct HTML output using the instance\u2019s base URL. While MISP.baseurl was properly HTML-escaped, the alternative configuration value MISP.external_baseurl was not escaped when read from configuration.\n\nIf an attacker with administrative privileges can set or influence the MISP.external_baseurl configuration value, they can inject arbitrary HTML or JavaScript, which will be rendered in the dashboard widgets of other site administrators. The issue was resolved by enforcing HTML escaping on the external base URL as well.\n\n\n\nBecause the affected widgets are only visible to administrators and the attack requires the attacker to already be a site administrator, the impact is limited. However, if exploited, an administrative user could inject JavaScript that executes in the browsers of other administrators viewing dashboard widgets, leading to:\n\n\n\n * \nSession hijacking within admin context (if cookies are accessible)\n\n\n\n\n * \nExecution of arbitrary actions as another site admin\n\n\n\n\n * \nDefacement or injection of misleading information into dashboards\n\n\n\n\n\n\n\nThis is considered low impact but with high exploitation requirements, as noted in the patch."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/cac45809bf2001d47e092d6efbb7965306a13148"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected XSS in MISP Dashboard Widgets via Unescaped Base URL",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2025-0037"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-10T14:01:03.200804Z",
"dateUpdated": "2025-12-10T14:01:03.200804Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0037",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-10T14:01:03.200804Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0036
Vulnerability from gna-1 – Published: 2025-12-10 13:46 – Updated: 2025-12-10 13:46
VLAI?
Title
A reflected cross-site scripting (XSS) vulnerability was identified in the MISp Servers preview index
Summary
A reflected cross-site scripting (XSS) vulnerability was identified in the Servers preview index view (app/View/Servers/preview_index.ctp). The view passes URL parameters directly into the onClickParams argument of the getPopup handler without proper HTML encoding.
Because $urlparams can be attacker-controlled, a specially crafted URL can inject arbitrary JavaScript into the generated page. When a site administrator follows such a malicious link and clicks the “Modify filters” button, the injected script is executed in their browser in the context of the application.
This issue has been fixed by ensuring that the URL parameters are HTML-escaped before being embedded.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.27",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA reflected cross-site scripting (XSS) vulnerability was identified in the \u003cem\u003eServers preview index\u003c/em\u003e view (\u003ccode\u003eapp/View/Servers/preview_index.ctp\u003c/code\u003e). The view passes URL parameters directly into the \u003ccode\u003eonClickParams\u003c/code\u003e argument of the \u003ccode\u003egetPopup\u003c/code\u003e handler without proper HTML encoding.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eBecause \u003ccode\u003e$urlparams\u003c/code\u003e can be attacker-controlled, a specially crafted URL can inject arbitrary JavaScript into the generated page. When a site administrator follows such a malicious link and clicks the \u003cstrong\u003e\u201cModify filters\u201d\u003c/strong\u003e button, the injected script is executed in their browser in the context of the application.\u003c/p\u003e\n\u003cp\u003eThis issue has been fixed by ensuring that the URL parameters are HTML-escaped before being embedded.\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "A reflected cross-site scripting (XSS) vulnerability was identified in the Servers preview index view (app/View/Servers/preview_index.ctp). The view passes URL parameters directly into the onClickParams argument of the getPopup handler without proper HTML encoding.\n\n\nBecause $urlparams can be attacker-controlled, a specially crafted URL can inject arbitrary JavaScript into the generated page. When a site administrator follows such a malicious link and clicks the \u201cModify filters\u201d button, the injected script is executed in their browser in the context of the application.\n\n\nThis issue has been fixed by ensuring that the URL parameters are HTML-escaped before being embedded."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/185a9fac1a9de112488013ffb3513644d4a02d59"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A reflected cross-site scripting (XSS) vulnerability was identified in the MISp Servers preview index",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2025-0036"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2025-12-10T13:46:07.170083Z",
"dateUpdated": "2025-12-10T13:46:07.170083Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0036",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-12-10T13:46:07.170083Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CERTFR-2026-AVI-0515
Vulnerability from certfr_avis - Published: 2026-04-30 - Updated: 2026-05-18
De multiples vulnérabilités ont été découvertes dans MISP. Elles permettent à un attaquant de provoquer une élévation de privilèges, une injection SQL (SQLi) et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "MISP versions ant\u00e9rieures \u00e0 2.5.37",
"product": {
"name": "MISP",
"vendor": {
"name": "MISP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-44379",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44379"
},
{
"name": "CVE-2026-44381",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44381"
},
{
"name": "CVE-2026-39962",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39962"
},
{
"name": "CVE-2026-44380",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44380"
}
],
"initial_release_date": "2026-04-30T00:00:00",
"last_revision_date": "2026-05-18T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0515",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-30T00:00:00.000000"
},
{
"description": "Ajout de quatre identifiants CVE.",
"revision_date": "2026-05-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans MISP. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une injection SQL (SQLi) et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans MISP",
"vendor_advisories": [
{
"published_at": "2026-04-30",
"title": "Bulletin de s\u00e9curit\u00e9 MISP",
"url": "https://www.misp-project.org/security/"
}
]
}
CERTFR-2026-AVI-0229
Vulnerability from certfr_avis - Published: 2026-03-02 - Updated: 2026-03-02
De multiples vulnérabilités ont été découvertes dans MISP. Certaines d'entre elles permettent à un attaquant de provoquer une falsification de requêtes côté serveur (SSRF), une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "MISP versions ant\u00e9rieures \u00e0 2.5.33",
"product": {
"name": "MISP",
"vendor": {
"name": "MISP",
"scada": false
}
}
},
{
"description": "MISP modules versions ant\u00e9rieures \u00e0 3.0.5",
"product": {
"name": "MISP",
"vendor": {
"name": "MISP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2026-03-02T00:00:00",
"last_revision_date": "2026-03-02T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0229",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-02T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans MISP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF), une injection de code indirecte \u00e0 distance (XSS) et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans MISP",
"vendor_advisories": [
{
"published_at": "2026-03-02",
"title": "Bulletin de s\u00e9curit\u00e9 MISP",
"url": "https://www.misp-project.org/security/"
}
]
}
CERTFR-2026-AVI-0030
Vulnerability from certfr_avis - Published: 2026-01-13 - Updated: 2026-01-13
Une vulnérabilité a été découverte dans MISP. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "MISP versions ant\u00e9rieures \u00e0 2.5.32",
"product": {
"name": "MISP",
"vendor": {
"name": "MISP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2026-01-13T00:00:00",
"last_revision_date": "2026-01-13T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0030",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-13T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans MISP. Elle permet \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).",
"title": "Vuln\u00e9rabilit\u00e9 dans MISP",
"vendor_advisories": [
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 MISP",
"url": "https://www.misp-project.org/security/"
}
]
}