PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10856 misp CVE debrief

A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /<wbr>example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. In addition, the generated href concatenated the reconstructed URL with the original URL, increasing the possibility of unsafe or malformed link generation.<br><br>An attacker able to configure or influence a dashboard button URL could craft a button that appears to point inside the application but redirects users to an attacker-controlled site when clicked. This could be used for phishing, credential theft, or social engineering. The patch fixes the issue by rejecting empty paths and paths starting with /<wbr>, and by emitting only the reconstructed validated URL in the anchor href.

Vendor
misp
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-08
Advisory published
2026-06-04
Advisory updated
2026-06-08

Who should care

Users of MISP dashboard button widget

Technical summary

The MISP dashboard button widget did not properly validate URLs, allowing an attacker to craft a URL that appears to be local but redirects to an external site.

Defensive priority

MEDIUM

Recommended defensive actions

  • Apply the patch: [ref-4](https://github.com/MISP/MISP/commit/f879f16fb5db7a9aab0a70fdcafea12ce4847e9a)

Evidence notes

The CVE record [cve-org] and NVD detail [nvd] provide additional information about the vulnerability.

Official resources

CVE-2026-10856 was published on 2026-06-04T14:16:37.947Z and modified on 2026-06-08T13:59:08.217Z.