Misp
by Misp
Source repositories
CVEs (140)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-10860 | Med | 0.35 | 6.5 | 0.00 | Jun 4, 2026 | A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE,… | ||
| CVE-2026-9136 | Med | 0.35 | 6.5 | 0.00 | May 20, 2026 | A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an… | ||
| CVE-2017-16802 | Med | 0.35 | 5.4 | 0.01 | Nov 13, 2017 | In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added. | ||
| CVE-2026-54397 | Med | 0.33 | — | 0.00 | Jun 12, 2026 | A vulnerability in MISP’s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event’s sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing… | ||
| CVE-2026-10861 | Med | 0.33 | 6.1 | 0.00 | Jun 4, 2026 | An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An… | ||
| CVE-2026-10856 | Med | 0.33 | 6.1 | 0.00 | Jun 4, 2026 | A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did… | ||
| CVE-2024-54675 | Med | 0.33 | 6.1 | 0.00 | Dec 4, 2024 | app/webroot/js/workflows-editor/workflows-editor.js in MISP through 2.5.2 has stored XSS in the editor interface for an ad-hoc workflow. | ||
| CVE-2024-54674 | Med | 0.33 | 6.1 | 0.00 | Dec 4, 2024 | app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp in MISP through 2.5.2 has stored XSS when exporting custom clusters into the misp-galaxy format. | ||
| CVE-2015-5720 | Med | 0.33 | 6.1 | 0.01 | Sep 3, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in the template-creation feature in Malware Information Sharing Platform (MISP) before 2.3.90 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) add.ctp, (2) edit.ctp, and (3)… | ||
| CVE-2026-9084 | Med | 0.32 | — | 0.00 | May 20, 2026 | MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an… | ||
| CVE-2017-16946 | Med | 0.32 | 4.9 | 0.01 | Nov 25, 2017 | The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log. | ||
| CVE-2026-8080 | Med | 0.28 | 5.4 | 0.00 | May 7, 2026 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling… | ||
| CVE-2026-54398 | Med | 0.27 | — | 0.00 | Jun 12, 2026 | An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects,… | ||
| CVE-2026-54396 | Med | 0.27 | — | 0.00 | Jun 12, 2026 | An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An… | ||
| CVE-2026-54395 | Med | 0.27 | — | 0.00 | Jun 12, 2026 | MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before… | ||
| CVE-2026-54394 | Med | 0.27 | — | 0.00 | Jun 12, 2026 | MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended… | ||
| CVE-2026-54362 | Med | 0.27 | — | 0.00 | Jun 12, 2026 | An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the… | ||
| CVE-2026-44381 | Med | 0.27 | 5.3 | 0.01 | May 13, 2026 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values… | ||
| CVE-2026-44379 | Med | 0.27 | 5.3 | 0.00 | May 13, 2026 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing… | ||
| CVE-2025-66386 | Med | 0.27 | 4.1 | 0.00 | Nov 28, 2025 | app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin. |
- risk 0.35cvss 6.5epss 0.00
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE,…
- risk 0.35cvss 6.5epss 0.00
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an…
- risk 0.35cvss 5.4epss 0.01
In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.
- risk 0.33cvss —epss 0.00
A vulnerability in MISP’s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event’s sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing…
- risk 0.33cvss 6.1epss 0.00
An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An…
- risk 0.33cvss 6.1epss 0.00
A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did…
- risk 0.33cvss 6.1epss 0.00
app/webroot/js/workflows-editor/workflows-editor.js in MISP through 2.5.2 has stored XSS in the editor interface for an ad-hoc workflow.
- risk 0.33cvss 6.1epss 0.00
app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp in MISP through 2.5.2 has stored XSS when exporting custom clusters into the misp-galaxy format.
- risk 0.33cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the template-creation feature in Malware Information Sharing Platform (MISP) before 2.3.90 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) add.ctp, (2) edit.ctp, and (3)…
- risk 0.32cvss —epss 0.00
MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an…
- risk 0.32cvss 4.9epss 0.01
The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.
- risk 0.28cvss 5.4epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling…
- risk 0.27cvss —epss 0.00
An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects,…
- risk 0.27cvss —epss 0.00
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An…
- risk 0.27cvss —epss 0.00
MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before…
- risk 0.27cvss —epss 0.00
MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended…
- risk 0.27cvss —epss 0.00
An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the…
- risk 0.27cvss 5.3epss 0.01
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values…
- risk 0.27cvss 5.3epss 0.00
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing…
- risk 0.27cvss 4.1epss 0.00
app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.
Page 2 of 7