VYPR

Misp

by Misp

Source repositories

CVEs (140)

  • CVE-2026-54393MedJun 12, 2026
    risk 0.26cvss epss 0.00

    A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage,…

  • CVE-2026-54357MedJun 12, 2026
    risk 0.26cvss epss 0.00

    An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by…

  • CVE-2026-10864MedJun 4, 2026
    risk 0.21cvss 4.3epss 0.00

    A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or…

  • CVE-2026-10855MedJun 4, 2026
    risk 0.21cvss 4.3epss 0.00

    An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization…

  • CVE-2026-10854MedJun 4, 2026
    risk 0.21cvss 4.3epss 0.00

    A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access…

  • CVE-2018-19908Dec 6, 2018
    risk 0.04cvss epss 0.17

    An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking…

  • CVE-2026-56447Jun 22, 2026
    risk 0.00cvss epss 0.00

    MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka…

  • CVE-2026-56446Jun 22, 2026
    risk 0.00cvss epss 0.00

    MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP…

  • CVE-2026-56424Jun 22, 2026
    risk 0.00cvss epss 0.00

    MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature…

  • CVE-2026-56423Jun 22, 2026
    risk 0.00cvss epss 0.00

    MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For…

  • CVE-2026-56422Jun 22, 2026
    risk 0.00cvss epss 0.00

    Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object…

  • CVE-2025-67906Dec 15, 2025
    risk 0.00cvss epss 0.00

    In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.

  • CVE-2024-58130Mar 28, 2025
    risk 0.00cvss epss 0.00

    In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.

  • CVE-2024-58129Mar 28, 2025
    risk 0.00cvss epss 0.00

    In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.

  • CVE-2024-58128Mar 28, 2025
    risk 0.00cvss epss 0.00

    In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link.

  • CVE-2024-57969Feb 14, 2025
    risk 0.00cvss epss 0.00

    app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.

  • CVE-2024-46918Sep 15, 2024
    risk 0.00cvss epss 0.00

    app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.

  • CVE-2024-45509Sep 1, 2024
    risk 0.00cvss epss 0.00

    In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.

  • CVE-2024-29859Mar 21, 2024
    risk 0.00cvss epss 0.01

    In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.

  • CVE-2024-29858Mar 21, 2024
    risk 0.00cvss epss 0.00

    In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.

Page 3 of 7