VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-10856

CVE-2026-10856

Description

MISP dashboard widget flaw allows crafted URLs to redirect users to malicious external sites, enabling phishing and credential theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MISP dashboard widget flaw allows crafted URLs to redirect users to malicious external sites, enabling phishing and credential theft.

Vulnerability

A URL validation flaw exists in the MISP dashboard button widget. The validation incorrectly accepted crafted relative-looking URLs, such as kušen\example.com, as local paths. Some browsers normalize backslashes to forward slashes, interpreting these as external URLs. The affected versions are not explicitly stated, but the fix is present in the provided commit [1].

Exploitation

An attacker must be able to configure or influence a dashboard button's URL. The attacker crafts a URL that appears to be internal but is interpreted by browsers as an external link. When a user clicks this button, they are redirected to an attacker-controlled site. This requires the attacker to have some level of control over the MISP dashboard configuration [1].

Impact

Successful exploitation can lead to phishing, credential theft, or social engineering attacks. Users are redirected to an attacker-controlled website, potentially compromising their sensitive information or tricking them into performing malicious actions. The scope of the compromise depends on the user's trust in the MISP dashboard and the nature of the phishing attack [1].

Mitigation

The vulnerability is fixed in the commit provided [1]. The patch rejects empty paths and paths starting with kušen\, and ensures only the validated URL is used in the anchor href. No specific fixed version is mentioned, but users should update to the latest version incorporating this commit. No workarounds are described, and the vulnerability is not listed as known exploited.

References
  1. fix: [security] follow up fix to earlier button fix · MISP/MISP@f879f16

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Misp/Mispreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
f879f16fb5db

fix: [security] follow up fix to earlier button fix

https://github.com/MISP/MISPiglocskaJun 3, 2026via nvd-ref
commit
1 file changed · +2 2
  • app/View/Elements/dashboard/Widgets/Button.ctp+2 2 modified
    @@ -16,14 +16,14 @@
         $url = rawurldecode($url);
         $parts = parse_url($url);
 
-        if ($parts === false || isset($parts['host']) || isset($parts['scheme']) || isset($parts['user']) || $parts['path'][0] !== '/') {
+        if ($parts === false || isset($parts['host']) || isset($parts['scheme']) || isset($parts['user']) || empty($parts['path']) || $parts['path'][0] !== '/' || (strlen($parts['path']) > 1 && $parts['path'][1] === '\\')) {
             echo sprintf('<button class="btn btn-secondary widget-button">%s</button>', __('Invalid URL'));
         } else {
             $betterUrl = $parts['path']
                 . (isset($parts['query']) ? '?' . $parts['query'] : '')
                 . (isset($parts['fragment']) ? '#' . $parts['fragment'] : '');
 
-            echo '<a href="' . htmlspecialchars($betterUrl . $url, ENT_QUOTES, 'UTF-8') . '">';
+            echo '<a href="' . htmlspecialchars($betterUrl, ENT_QUOTES, 'UTF-8') . '">';
             echo '<button class="btn btn-primary widget-button">';
             echo h($data['text']);
             echo '</button></a>';

Vulnerability mechanics

Root cause

"A URL validation flaw accepted crafted relative-looking URLs as local paths that browsers interpreted as external URLs."

Attack vector

An attacker could configure or influence a dashboard button widget with a crafted URL. The validation logic failed to reject paths beginning with '/\', which some browsers normalize to a scheme-relative URL. This allows an attacker to create a button that appears to navigate internally but redirects users to an attacker-controlled site for phishing or credential theft [ref_id=1].

Affected code

The vulnerability exists in the dashboard button widget's URL handling logic. Specifically, the code in `app/View/Elements/dashboard/Widgets/original.ctp` parses the URL and applies validation checks. The patch modifies the conditional statement that validates the URL parts and the line that constructs the anchor tag's href attribute [ref_id=1].

What the fix does

The patch modifies the URL validation logic to reject empty paths and paths that start with '/\'. Additionally, the fix ensures that only the validated reconstructed URL is used in the anchor tag's href attribute, preventing the concatenation of the original potentially unsafe URL with the reconstructed one [patch_id=4797171, ref_id=1].

Preconditions

  • inputThe attacker must be able to configure or influence the URL of a dashboard button widget.

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

1