Vendor
Misp
Products
1
CVEs
10
Across products
10
Status
Private
Products
1- 10 CVEs
Recent CVEs
10| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39962 | Cri | 0.55 | 9.6 | 0.00 | Apr 9, 2026 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36. | |
| CVE-2025-66384 | Hig | 0.53 | 8.2 | 0.00 | Nov 28, 2025 | app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name. | |
| CVE-2017-13671 | Med | 0.40 | 6.1 | 0.00 | Aug 24, 2017 | app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation. | |
| CVE-2017-16946 | Med | 0.32 | 4.9 | 0.00 | Nov 25, 2017 | The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log. | |
| CVE-2026-8080 | Med | 0.28 | 5.4 | 0.00 | May 7, 2026 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value. This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38 | |
| CVE-2025-67906 | 0.00 | — | 0.00 | Dec 15, 2025 | In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path. | ||
| CVE-2024-58129 | 0.00 | — | 0.00 | Mar 28, 2025 | In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. | ||
| CVE-2024-58128 | 0.00 | — | 0.00 | Mar 28, 2025 | In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. | ||
| CVE-2024-58130 | 0.00 | — | 0.00 | Mar 28, 2025 | In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses. | ||
| CVE-2024-57969 | 0.00 | — | 0.00 | Feb 14, 2025 | app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search. |