VYPR

Misp

by Misp

Source repositories

CVEs (140)

  • CVE-2018-12649CriJun 22, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.

  • CVE-2026-10611CriJun 2, 2026
    risk 0.58cvss 10.0epss 0.00

    An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may…

  • CVE-2015-5721CriSep 3, 2016
    risk 0.57cvss 9.8epss 0.03

    Malware Information Sharing Platform (MISP) before 2.3.90 allows remote attackers to conduct PHP object injection attacks via crafted serialized data, related to TemplatesController.php and populate_event_from_template_attributes.ctp.

  • CVE-2015-5719CriSep 3, 2016
    risk 0.57cvss 9.8epss 0.02

    app/Controller/TemplatesController.php in Malware Information Sharing Platform (MISP) before 2.3.92 does not properly restrict filenames under the tmp/files/ directory, which has unspecified impact and attack vectors.

  • CVE-2026-39962CriApr 9, 2026
    risk 0.55cvss 9.6epss 0.00

    MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use…

  • CVE-2025-66384HigNov 28, 2025
    risk 0.53cvss 8.2epss 0.00

    app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name.

  • CVE-2017-14337HigSep 12, 2017
    risk 0.53cvss 8.1epss 0.01

    When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user…

  • CVE-2026-10868CriJun 4, 2026
    risk 0.52cvss epss 0.00

    A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An…

  • CVE-2026-54361HigJun 12, 2026
    risk 0.50cvss epss 0.00

    MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers…

  • CVE-2026-54360HigJun 12, 2026
    risk 0.48cvss epss 0.00

    A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a…

  • CVE-2018-6926HigFeb 12, 2018
    risk 0.47cvss 7.2epss 0.02

    In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The…

  • CVE-2026-10863HigJun 4, 2026
    risk 0.46cvss 8.1epss 0.00

    A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending…

  • CVE-2026-54358HigJun 12, 2026
    risk 0.42cvss epss 0.00

    An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within…

  • CVE-2026-9137HigMay 20, 2026
    risk 0.42cvss 7.5epss 0.00

    The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and…

  • CVE-2026-44380HigMay 13, 2026
    risk 0.40cvss 7.2epss 0.00

    MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site…

  • CVE-2018-11562MedMay 30, 2018
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter.

  • CVE-2017-15216MedOct 10, 2017
    risk 0.40cvss 6.1epss 0.01

    MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.js.

  • CVE-2017-13671MedAug 24, 2017
    risk 0.40cvss 6.1epss 0.01

    app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation.

  • CVE-2017-7215MedMar 21, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross site scripting in some view elements in the index filter tool in app/webroot/js/misp2.4.68.js and the organisation landing page in app/View/Organisations/ajax/landingpage.ctp of MISP before 2.4.69 allows remote attackers to inject arbitrary web script or HTML.

  • CVE-2026-54359HigJun 12, 2026
    risk 0.39cvss epss 0.00

    MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site…

Page 1 of 7