VYPR

Misp

by Misp

Source repositories

CVEs (140)

  • CVE-2026-10860MedJun 4, 2026
    risk 0.35cvss 6.5epss 0.00

    A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE,…

  • CVE-2026-9136MedMay 20, 2026
    risk 0.35cvss 6.5epss 0.00

    A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an…

  • CVE-2017-16802MedNov 13, 2017
    risk 0.35cvss 5.4epss 0.01

    In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.

  • CVE-2026-54397MedJun 12, 2026
    risk 0.33cvss epss 0.00

    A vulnerability in MISP’s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event’s sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing…

  • CVE-2026-10861MedJun 4, 2026
    risk 0.33cvss 6.1epss 0.00

    An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An…

  • CVE-2026-10856MedJun 4, 2026
    risk 0.33cvss 6.1epss 0.00

    A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did…

  • CVE-2024-54675MedDec 4, 2024
    risk 0.33cvss 6.1epss 0.00

    app/webroot/js/workflows-editor/workflows-editor.js in MISP through 2.5.2 has stored XSS in the editor interface for an ad-hoc workflow.

  • CVE-2024-54674MedDec 4, 2024
    risk 0.33cvss 6.1epss 0.00

    app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp in MISP through 2.5.2 has stored XSS when exporting custom clusters into the misp-galaxy format.

  • CVE-2015-5720MedSep 3, 2016
    risk 0.33cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the template-creation feature in Malware Information Sharing Platform (MISP) before 2.3.90 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) add.ctp, (2) edit.ctp, and (3)…

  • CVE-2026-9084MedMay 20, 2026
    risk 0.32cvss epss 0.00

    MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an…

  • CVE-2017-16946MedNov 25, 2017
    risk 0.32cvss 4.9epss 0.01

    The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.

  • CVE-2026-8080MedMay 7, 2026
    risk 0.28cvss 5.4epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling…

  • CVE-2026-54398MedJun 12, 2026
    risk 0.27cvss epss 0.00

    An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects,…

  • CVE-2026-54396MedJun 12, 2026
    risk 0.27cvss epss 0.00

    An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An…

  • CVE-2026-54395MedJun 12, 2026
    risk 0.27cvss epss 0.00

    MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before…

  • CVE-2026-54394MedJun 12, 2026
    risk 0.27cvss epss 0.00

    MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended…

  • CVE-2026-54362MedJun 12, 2026
    risk 0.27cvss epss 0.00

    An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the…

  • CVE-2026-44381MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.01

    MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values…

  • CVE-2026-44379MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.00

    MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing…

  • CVE-2025-66386MedNov 28, 2025
    risk 0.27cvss 4.1epss 0.00

    app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.

Page 2 of 7