Vendor CVEs
Misp
All CVEs
143 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-56425 | 0.00 | — | 0.00 | Jun 22, 2026 | The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier… | |||
| CVE-2026-56424 | 0.00 | — | 0.00 | Jun 22, 2026 | MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature… | |||
| CVE-2026-56423 | 0.00 | — | 0.00 | Jun 22, 2026 | MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For… | |||
| CVE-2026-56422 | 0.00 | — | 0.00 | Jun 22, 2026 | Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object… | |||
| CVE-2025-67906 | 0.00 | — | 0.00 | Dec 15, 2025 | In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path. | |||
| CVE-2024-58128 | 0.00 | — | 0.00 | Mar 28, 2025 | In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. | |||
| CVE-2024-58130 | 0.00 | — | 0.00 | Mar 28, 2025 | In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses. | |||
| CVE-2024-58129 | 0.00 | — | 0.00 | Mar 28, 2025 | In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. | |||
| CVE-2024-57969 | 0.00 | — | 0.00 | Feb 14, 2025 | app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search. | |||
| CVE-2024-46918 | 0.00 | — | 0.00 | Sep 15, 2024 | app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org. | |||
| CVE-2024-45509 | 0.00 | — | 0.00 | Sep 1, 2024 | In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin. | |||
| CVE-2024-29859 | 0.00 | — | 0.01 | Mar 21, 2024 | In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload. | |||
| CVE-2024-29858 | 0.00 | — | 0.00 | Mar 21, 2024 | In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload. | |||
| CVE-2024-25675 | 0.00 | — | 0.01 | Feb 9, 2024 | An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp. | |||
| CVE-2024-25674 | 0.00 | — | 0.01 | Feb 9, 2024 | An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. | |||
| CVE-2023-50918 | 0.00 | — | 0.01 | Dec 15, 2023 | app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs. | |||
| CVE-2023-49926 | 0.00 | — | 0.00 | Dec 3, 2023 | app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget. | |||
| CVE-2023-48657 | 0.00 | — | 0.01 | Nov 17, 2023 | An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles filters. | |||
| CVE-2023-48655 | 0.00 | — | 0.01 | Nov 17, 2023 | An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters. | |||
| CVE-2023-48656 | 0.00 | — | 0.01 | Nov 17, 2023 | An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order clauses. | |||
| CVE-2023-48658 | 0.00 | — | 0.01 | Nov 17, 2023 | An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash, period, and space. | |||
| CVE-2023-48659 | 0.00 | — | 0.01 | Nov 17, 2023 | An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing. | |||
| CVE-2023-41098 | 0.00 | — | 0.00 | Aug 23, 2023 | An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit. | |||
| CVE-2023-40224 | 0.00 | — | 0.00 | Aug 10, 2023 | MISP 2.4.174 allows XSS in app/View/Events/index.ctp. | |||
| CVE-2023-37306 | 0.00 | — | 0.00 | Jun 30, 2023 | MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the nature of the error messages. | |||
| CVE-2023-37307 | 0.00 | — | 0.00 | Jun 30, 2023 | In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts. | |||
| CVE-2023-28884 | 0.00 | — | 0.00 | Mar 27, 2023 | In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index. | |||
| CVE-2023-28606 | 0.00 | — | 0.00 | Mar 18, 2023 | js/event-graph.js in MISP before 2.4.169 allows XSS via event-graph node tooltips. | |||
| CVE-2023-28607 | 0.00 | — | 0.00 | Mar 18, 2023 | js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip. | |||
| CVE-2022-48328 | 0.00 | — | 0.01 | Feb 20, 2023 | app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters. | |||
| CVE-2022-48329 | 0.00 | — | 0.01 | Feb 20, 2023 | MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php. | |||
| CVE-2023-24070 | 0.00 | — | 0.00 | Jan 23, 2023 | app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field. | |||
| CVE-2023-24027 | 0.00 | — | 0.00 | Jan 20, 2023 | In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name. | |||
| CVE-2023-24028 | 0.00 | — | 0.01 | Jan 20, 2023 | In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function. | |||
| CVE-2023-24026 | 0.00 | — | 0.00 | Jan 20, 2023 | In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload. | |||
| CVE-2022-47928 | 0.00 | — | 0.00 | Dec 22, 2022 | In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp. | |||
| CVE-2022-42724 | 0.00 | — | 0.00 | Oct 10, 2022 | app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have). | |||
| CVE-2022-29534 | 0.00 | — | 0.02 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header. | |||
| CVE-2022-29530 | 0.00 | — | 0.01 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters. | |||
| CVE-2022-29529 | 0.00 | — | 0.01 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field. | |||
| CVE-2022-29532 | 0.00 | — | 0.01 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it. | |||
| CVE-2022-29528 | 0.00 | — | 0.02 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur. | |||
| CVE-2022-29531 | 0.00 | — | 0.01 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name. | |||
| CVE-2022-29533 | 0.00 | — | 0.01 | Apr 20, 2022 | An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page." | |||
| CVE-2022-27243 | 0.00 | — | 0.01 | Mar 18, 2022 | An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting. | |||
| CVE-2022-27244 | 0.00 | — | 0.00 | Mar 18, 2022 | An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user. | |||
| CVE-2022-27245 | 0.00 | — | 0.01 | Mar 18, 2022 | An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. | |||
| CVE-2022-27246 | 0.00 | — | 0.01 | Mar 18, 2022 | An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. | |||
| CVE-2021-41326 | 0.00 | — | 0.02 | Sep 17, 2021 | In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. | |||
| CVE-2021-39302 | 0.00 | — | 0.01 | Aug 19, 2021 | MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. |
- CVE-2026-56425Jun 22, 2026risk 0.00cvss —epss 0.00
The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier…
- CVE-2026-56424Jun 22, 2026risk 0.00cvss —epss 0.00
MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature…
- CVE-2026-56423Jun 22, 2026risk 0.00cvss —epss 0.00
MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For…
- CVE-2026-56422Jun 22, 2026risk 0.00cvss —epss 0.00
Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object…
- CVE-2025-67906Dec 15, 2025risk 0.00cvss —epss 0.00
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
- CVE-2024-58128Mar 28, 2025risk 0.00cvss —epss 0.00
In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link.
- CVE-2024-58130Mar 28, 2025risk 0.00cvss —epss 0.00
In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.
- CVE-2024-58129Mar 28, 2025risk 0.00cvss —epss 0.00
In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.
- CVE-2024-57969Feb 14, 2025risk 0.00cvss —epss 0.00
app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.
- CVE-2024-46918Sep 15, 2024risk 0.00cvss —epss 0.00
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
- CVE-2024-45509Sep 1, 2024risk 0.00cvss —epss 0.00
In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.
- CVE-2024-29859Mar 21, 2024risk 0.00cvss —epss 0.01
In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
- CVE-2024-29858Mar 21, 2024risk 0.00cvss —epss 0.00
In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
- CVE-2024-25675Feb 9, 2024risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.
- CVE-2024-25674Feb 9, 2024risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
- CVE-2023-50918Dec 15, 2023risk 0.00cvss —epss 0.01
app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
- CVE-2023-49926Dec 3, 2023risk 0.00cvss —epss 0.00
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.
- CVE-2023-48657Nov 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles filters.
- CVE-2023-48655Nov 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters.
- CVE-2023-48656Nov 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order clauses.
- CVE-2023-48658Nov 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash, period, and space.
- CVE-2023-48659Nov 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing.
- CVE-2023-41098Aug 23, 2023risk 0.00cvss —epss 0.00
An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit.
- CVE-2023-40224Aug 10, 2023risk 0.00cvss —epss 0.00
MISP 2.4.174 allows XSS in app/View/Events/index.ctp.
- CVE-2023-37306Jun 30, 2023risk 0.00cvss —epss 0.00
MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the nature of the error messages.
- CVE-2023-37307Jun 30, 2023risk 0.00cvss —epss 0.00
In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts.
- CVE-2023-28884Mar 27, 2023risk 0.00cvss —epss 0.00
In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index.
- CVE-2023-28606Mar 18, 2023risk 0.00cvss —epss 0.00
js/event-graph.js in MISP before 2.4.169 allows XSS via event-graph node tooltips.
- CVE-2023-28607Mar 18, 2023risk 0.00cvss —epss 0.00
js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip.
- CVE-2022-48328Feb 20, 2023risk 0.00cvss —epss 0.01
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
- CVE-2022-48329Feb 20, 2023risk 0.00cvss —epss 0.01
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.
- CVE-2023-24070Jan 23, 2023risk 0.00cvss —epss 0.00
app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field.
- CVE-2023-24027Jan 20, 2023risk 0.00cvss —epss 0.00
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.
- CVE-2023-24028Jan 20, 2023risk 0.00cvss —epss 0.01
In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
- CVE-2023-24026Jan 20, 2023risk 0.00cvss —epss 0.00
In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
- CVE-2022-47928Dec 22, 2022risk 0.00cvss —epss 0.00
In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.
- CVE-2022-42724Oct 10, 2022risk 0.00cvss —epss 0.00
app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).
- CVE-2022-29534Apr 20, 2022risk 0.00cvss —epss 0.02
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.
- CVE-2022-29530Apr 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
- CVE-2022-29529Apr 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
- CVE-2022-29532Apr 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.
- CVE-2022-29528Apr 20, 2022risk 0.00cvss —epss 0.02
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
- CVE-2022-29531Apr 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
- CVE-2022-29533Apr 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."
- CVE-2022-27243Mar 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.
- CVE-2022-27244Mar 18, 2022risk 0.00cvss —epss 0.00
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
- CVE-2022-27245Mar 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.
- CVE-2022-27246Mar 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
- CVE-2021-41326Sep 17, 2021risk 0.00cvss —epss 0.02
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
- CVE-2021-39302Aug 19, 2021risk 0.00cvss —epss 0.01
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
Page 2 of 3