VYPR

Vendor CVEs

Misp

All CVEs

143 total · sorted by risk
  • CVE-2026-56425Jun 22, 2026
    risk 0.00cvss epss 0.00

    The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier…

  • CVE-2026-56424Jun 22, 2026
    risk 0.00cvss epss 0.00

    MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature…

  • CVE-2026-56423Jun 22, 2026
    risk 0.00cvss epss 0.00

    MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For…

  • CVE-2026-56422Jun 22, 2026
    risk 0.00cvss epss 0.00

    Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object…

  • CVE-2025-67906Dec 15, 2025
    risk 0.00cvss epss 0.00

    In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.

  • CVE-2024-58128Mar 28, 2025
    risk 0.00cvss epss 0.00

    In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link.

  • CVE-2024-58130Mar 28, 2025
    risk 0.00cvss epss 0.00

    In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses.

  • CVE-2024-58129Mar 28, 2025
    risk 0.00cvss epss 0.00

    In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page.

  • CVE-2024-57969Feb 14, 2025
    risk 0.00cvss epss 0.00

    app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.

  • CVE-2024-46918Sep 15, 2024
    risk 0.00cvss epss 0.00

    app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.

  • CVE-2024-45509Sep 1, 2024
    risk 0.00cvss epss 0.00

    In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.

  • CVE-2024-29859Mar 21, 2024
    risk 0.00cvss epss 0.01

    In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.

  • CVE-2024-29858Mar 21, 2024
    risk 0.00cvss epss 0.00

    In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.

  • CVE-2024-25675Feb 9, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.

  • CVE-2024-25674Feb 9, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.

  • CVE-2023-50918Dec 15, 2023
    risk 0.00cvss epss 0.01

    app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.

  • CVE-2023-49926Dec 3, 2023
    risk 0.00cvss epss 0.00

    app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.

  • CVE-2023-48657Nov 17, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles filters.

  • CVE-2023-48655Nov 17, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters.

  • CVE-2023-48656Nov 17, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order clauses.

  • CVE-2023-48658Nov 17, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash, period, and space.

  • CVE-2023-48659Nov 17, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing.

  • CVE-2023-41098Aug 23, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon a dashboard edit.

  • CVE-2023-40224Aug 10, 2023
    risk 0.00cvss epss 0.00

    MISP 2.4.174 allows XSS in app/View/Events/index.ctp.

  • CVE-2023-37306Jun 30, 2023
    risk 0.00cvss epss 0.00

    MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the nature of the error messages.

  • CVE-2023-37307Jun 30, 2023
    risk 0.00cvss epss 0.00

    In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts.

  • CVE-2023-28884Mar 27, 2023
    risk 0.00cvss epss 0.00

    In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index.

  • CVE-2023-28606Mar 18, 2023
    risk 0.00cvss epss 0.00

    js/event-graph.js in MISP before 2.4.169 allows XSS via event-graph node tooltips.

  • CVE-2023-28607Mar 18, 2023
    risk 0.00cvss epss 0.00

    js/event-graph.js in MISP before 2.4.169 allows XSS via the event-graph relationship tooltip.

  • CVE-2022-48328Feb 20, 2023
    risk 0.00cvss epss 0.01

    app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.

  • CVE-2022-48329Feb 20, 2023
    risk 0.00cvss epss 0.01

    MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.

  • CVE-2023-24070Jan 23, 2023
    risk 0.00cvss epss 0.00

    app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field.

  • CVE-2023-24027Jan 20, 2023
    risk 0.00cvss epss 0.00

    In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.

  • CVE-2023-24028Jan 20, 2023
    risk 0.00cvss epss 0.01

    In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.

  • CVE-2023-24026Jan 20, 2023
    risk 0.00cvss epss 0.00

    In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.

  • CVE-2022-47928Dec 22, 2022
    risk 0.00cvss epss 0.00

    In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.

  • CVE-2022-42724Oct 10, 2022
    risk 0.00cvss epss 0.00

    app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).

  • CVE-2022-29534Apr 20, 2022
    risk 0.00cvss epss 0.02

    An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.

  • CVE-2022-29530Apr 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.

  • CVE-2022-29529Apr 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.

  • CVE-2022-29532Apr 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.

  • CVE-2022-29528Apr 20, 2022
    risk 0.00cvss epss 0.02

    An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.

  • CVE-2022-29531Apr 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.

  • CVE-2022-29533Apr 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page."

  • CVE-2022-27243Mar 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.

  • CVE-2022-27244Mar 18, 2022
    risk 0.00cvss epss 0.00

    An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.

  • CVE-2022-27245Mar 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.

  • CVE-2022-27246Mar 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.

  • CVE-2021-41326Sep 17, 2021
    risk 0.00cvss epss 0.02

    In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.

  • CVE-2021-39302Aug 19, 2021
    risk 0.00cvss epss 0.01

    MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.