VYPR

Vendor CVEs

Misp

All CVEs

143 total · sorted by risk
  • CVE-2018-12649CriJun 22, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.

  • CVE-2026-10611CriJun 2, 2026
    risk 0.58cvss 10.0epss 0.00

    An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may…

  • CVE-2015-5721CriSep 3, 2016
    risk 0.57cvss 9.8epss 0.03

    Malware Information Sharing Platform (MISP) before 2.3.90 allows remote attackers to conduct PHP object injection attacks via crafted serialized data, related to TemplatesController.php and populate_event_from_template_attributes.ctp.

  • CVE-2015-5719CriSep 3, 2016
    risk 0.57cvss 9.8epss 0.02

    app/Controller/TemplatesController.php in Malware Information Sharing Platform (MISP) before 2.3.92 does not properly restrict filenames under the tmp/files/ directory, which has unspecified impact and attack vectors.

  • CVE-2026-39962CriApr 9, 2026
    risk 0.55cvss 9.6epss 0.00

    MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use…

  • CVE-2025-66384HigNov 28, 2025
    risk 0.53cvss 8.2epss 0.00

    app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name.

  • CVE-2017-14337HigSep 12, 2017
    risk 0.53cvss 8.1epss 0.01

    When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user…

  • CVE-2026-10868CriJun 4, 2026
    risk 0.52cvss epss 0.00

    A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An…

  • CVE-2026-54361HigJun 12, 2026
    risk 0.50cvss epss 0.00

    MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers…

  • CVE-2026-54360HigJun 12, 2026
    risk 0.48cvss epss 0.00

    A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a…

  • CVE-2018-6926HigFeb 12, 2018
    risk 0.47cvss 7.2epss 0.02

    In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The…

  • CVE-2026-10863HigJun 4, 2026
    risk 0.46cvss 8.1epss 0.00

    A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending…

  • CVE-2026-54358HigJun 12, 2026
    risk 0.42cvss epss 0.00

    An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within…

  • CVE-2026-9137HigMay 20, 2026
    risk 0.42cvss 7.5epss 0.00

    The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and…

  • CVE-2026-44380HigMay 13, 2026
    risk 0.40cvss 7.2epss 0.00

    MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site…

  • CVE-2018-11562MedMay 30, 2018
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter.

  • CVE-2017-15216MedOct 10, 2017
    risk 0.40cvss 6.1epss 0.01

    MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.js.

  • CVE-2017-13671MedAug 24, 2017
    risk 0.40cvss 6.1epss 0.01

    app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation.

  • CVE-2017-7215MedMar 21, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross site scripting in some view elements in the index filter tool in app/webroot/js/misp2.4.68.js and the organisation landing page in app/View/Organisations/ajax/landingpage.ctp of MISP before 2.4.69 allows remote attackers to inject arbitrary web script or HTML.

  • CVE-2026-54359HigJun 12, 2026
    risk 0.39cvss epss 0.00

    MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site…

  • CVE-2026-53693MedJun 10, 2026
    risk 0.38cvss epss 0.00

    A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code. Several client-side rendering paths interpolated tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event…

  • CVE-2026-10860MedJun 4, 2026
    risk 0.35cvss 6.5epss 0.00

    A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE,…

  • CVE-2026-9136MedMay 20, 2026
    risk 0.35cvss 6.5epss 0.00

    A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an…

  • CVE-2017-16802MedNov 13, 2017
    risk 0.35cvss 5.4epss 0.01

    In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name that is manually added.

  • CVE-2026-9806MedMay 28, 2026
    risk 0.34cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without…

  • CVE-2026-54397MedJun 12, 2026
    risk 0.33cvss epss 0.00

    A vulnerability in MISP’s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event’s sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing…

  • CVE-2026-10861MedJun 4, 2026
    risk 0.33cvss 6.1epss 0.00

    An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An…

  • CVE-2026-10856MedJun 4, 2026
    risk 0.33cvss 6.1epss 0.00

    A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did…

  • CVE-2024-54675MedDec 4, 2024
    risk 0.33cvss 6.1epss 0.00

    app/webroot/js/workflows-editor/workflows-editor.js in MISP through 2.5.2 has stored XSS in the editor interface for an ad-hoc workflow.

  • CVE-2024-54674MedDec 4, 2024
    risk 0.33cvss 6.1epss 0.00

    app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp in MISP through 2.5.2 has stored XSS when exporting custom clusters into the misp-galaxy format.

  • CVE-2015-5720MedSep 3, 2016
    risk 0.33cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the template-creation feature in Malware Information Sharing Platform (MISP) before 2.3.90 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) add.ctp, (2) edit.ctp, and (3)…

  • CVE-2026-9084MedMay 20, 2026
    risk 0.32cvss epss 0.00

    MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an…

  • CVE-2017-16946MedNov 25, 2017
    risk 0.32cvss 4.9epss 0.01

    The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.

  • CVE-2026-8080MedMay 7, 2026
    risk 0.28cvss 5.4epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling…

  • CVE-2026-54398MedJun 12, 2026
    risk 0.27cvss epss 0.00

    An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects,…

  • CVE-2026-54396MedJun 12, 2026
    risk 0.27cvss epss 0.00

    An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An…

  • CVE-2026-54395MedJun 12, 2026
    risk 0.27cvss epss 0.00

    MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before…

  • CVE-2026-54394MedJun 12, 2026
    risk 0.27cvss epss 0.00

    MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended…

  • CVE-2026-54362MedJun 12, 2026
    risk 0.27cvss epss 0.00

    An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the…

  • CVE-2026-44381MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.01

    MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values…

  • CVE-2026-44379MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.00

    MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing…

  • CVE-2025-66386MedNov 28, 2025
    risk 0.27cvss 4.1epss 0.00

    app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin.

  • CVE-2026-54393MedJun 12, 2026
    risk 0.26cvss epss 0.00

    A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage,…

  • CVE-2026-54357MedJun 12, 2026
    risk 0.26cvss epss 0.00

    An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by…

  • CVE-2026-10864MedJun 4, 2026
    risk 0.21cvss 4.3epss 0.00

    A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or…

  • CVE-2026-10855MedJun 4, 2026
    risk 0.21cvss 4.3epss 0.00

    An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization…

  • CVE-2026-10854MedJun 4, 2026
    risk 0.21cvss 4.3epss 0.00

    A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access…

  • CVE-2018-19908Dec 6, 2018
    risk 0.04cvss epss 0.17

    An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking…

  • CVE-2026-56447Jun 22, 2026
    risk 0.00cvss epss 0.00

    MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka…

  • CVE-2026-56446Jun 22, 2026
    risk 0.00cvss epss 0.00

    MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP…

Page 1 of 3