VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 12, 2026

CVE-2026-54393

CVE-2026-54393

Description

MISP Overmind theme stored XSS via setHomePage bypassing validation, fixed by using setSetting and HTML escaping.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MISP Overmind theme stored XSS via setHomePage bypassing validation, fixed by using setSetting and HTML escaping.

Vulnerability

A stored cross-site scripting vulnerability exists in MISP (all versions prior to commit d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2) when the Overmind theme is active. The setHomePage endpoint used setSettingInternal() directly, skipping the normal setSetting() validation logic which includes validate_homepage – a check that requires the homepage path to start with /. This allowed an authenticated user to store an arbitrary value, including a JavaScript payload, as their homepage path. The stored value was later rendered without HTML escaping in app/View/News/index.ctp as the href attribute of the “Continue to homepage” link [1].

Exploitation

An authenticated MISP user with a valid session can craft a POST request to the setHomePage endpoint with a path parameter containing a malicious XSS payload (e.g., javascript:alert(1) or a URL containing `` tags). Because the Overmind theme code path bypassed validation, the payload is stored in the user setting. When the affected user or any user viewing the news page (if the setting is shared or rendered) sees the “Continue to homepage” link and clicks it, the JavaScript executes in their browser context [1].

Impact

Successful exploitation allows an attacker who is an authenticated user of the MISP instance to execute arbitrary JavaScript in the browser of any MISP user who clicks the crafted homepage link. This can lead to session hijacking, data exfiltration (including pages or cookies), or other client-side attacks within the context of the MISP application. The attacker does not need to be an administrator, only an authenticated user with the ability to set their homepage [1].

Mitigation

The vulnerability is fixed in commit d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2 (released June 12, 2026). The fix ensures that setHomePage always calls setSetting() – which enforces the validate_homepage check requiring the path to start with / – and HTML-escapes the homepage value (h()) before rendering it in the news view. Users should update MISP to the latest version containing this commit. No workaround is available for unpatched instances other than disabling the Overmind theme or restricting authenticated users from customizing their homepage [1].

References
  1. fix: [security] XSS in galaxy cluster source link · MISP/MISP@d4733ca

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Misp/Mispreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
d4733ca5d2fc

fix: [security] XSS in galaxy cluster source link

https://github.com/MISP/MISPiglocskaJun 11, 2026via nvd-ref
commit
2 files changed · +13 17
  • app/Controller/UserSettingsController.php+12 16 modified
    @@ -382,22 +382,18 @@ public function setHomePage()
             if (empty($this->request->data['path'])) {
                 throw new InvalidArgumentException(__('No path POSTed.'));
             }
-            if ($this->theme === "Overmind") {
-                $result = $this->UserSetting->setSettingInternal(
-                    $this->Auth->user('id'),
-                    'homepage',
-                    ['path' => $this->request->data['path']]
-                );
-            } else {
-                $setting = array(
-                    'UserSetting' => array(
-                        'user_id' => $this->Auth->user('id'),
-                        'setting' => 'homepage',
-                        'value' => ['path' => $this->request->data['path']],
-                    )
-                );
-                $result = $this->UserSetting->setSetting($this->Auth->user(), $setting);
-            }
+            $setting = array(
+                'UserSetting' => array(
+                    'user_id' => $this->Auth->user('id'),
+                    'setting' => 'homepage',
+                    'value' => ['path' => $this->request->data['path']],
+                )
+            );
+            // Always persist through setSetting() so the homepage validation (validate_homepage,
+            // which requires the path to start with '/') and the access/self-management checks run.
+            // The Overmind theme previously called setSettingInternal() directly, skipping validation
+            // and allowing an arbitrary path - e.g. an XSS payload - to be stored as the homepage.
+            $result = $this->UserSetting->setSetting($this->Auth->user(), $setting);
             return $this->RestResponse->saveSuccessResponse('UserSettings', 'setHomePage', false, 'json', 'Homepage set to ' . $this->request->data['path']);
         } else {
             $this->layout = false;
  • app/View/News/index.ctp+1 1 modified
    @@ -3,7 +3,7 @@
     <?php if ($hasUnreadNews): ?>
     <div class="alert alert-success">
         <p><?= __('You have unread news.') ?></p>
-        <a class="btn btn-success" href="<?= isset($homepage['path']) ? $homepage['path'] : $homepage ?>"><?= __('Continue to homepage') ?></a>
+        <a class="btn btn-success" href="<?= h(isset($homepage['path']) ? $homepage['path'] : $homepage) ?>"><?= __('Continue to homepage') ?></a>
     </div>
     <?php endif; ?>

Vulnerability mechanics

Root cause

"The Overmind theme's code path bypassed homepage validation by calling `setSettingInternal()` instead of `setSetting()`, allowing an arbitrary unsanitized value to be stored and later rendered without HTML escaping."

Attack vector

An authenticated user with access to the Overmind theme submits a POST request to the `setHomePage` endpoint with a malicious `path` value (e.g. `javascript:alert(1)`). Because the Overmind branch called `setSettingInternal()` instead of `setSetting()`, the `validate_homepage` check was skipped, allowing the arbitrary payload to be stored. When another user views the news page (`/news`), the stored value is rendered unsanitized in the `href` attribute; clicking the “Continue to homepage” link executes the attacker's JavaScript in the victim's browser. [ref_id=1]

Affected code

The `setHomePage` action in `app/Controller/UserSettingsController.php` conditionally called `setSettingInternal()` when the Overmind theme was active, bypassing validation. The homepage value was rendered unsanitized in `app/View/News/index.ctp` as the `href` attribute of the “Continue to homepage” link.

What the fix does

The patch removes the Overmind-specific conditional in `setHomePage()` so that all requests are persisted through `setSetting()`, which runs `validate_homepage` (requires the path to start with `/`) and enforces access/self-management checks. Additionally, the view template in `app/View/News/index.ctp` wraps the homepage output in CakePHP's `h()` function, which HTML-escapes special characters. Together these changes prevent both storage and rendering of an arbitrary XSS payload. [patch_id=5750824]

Preconditions

  • configThe MISP instance must have the Overmind theme enabled (the vulnerable code path was only triggered when `$this->theme === "Overmind"`).
  • authThe attacker must be an authenticated user.
  • networkThe attacker sends a POST request to the `setHomePage` endpoint.
  • inputThe payload is a `path` value that does not start with `/` and contains JavaScript (e.g. `javascript:alert(1)`).

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.