PatchSiren cyber security CVE debrief
CVE-2026-54393 misp CVE debrief
A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload. The stored value was later rendered in app/View/News/index.ctp as the href attribute of the “Continue to homepage” link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with. The issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view.
- Vendor
- misp
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of MISP with the Overmind theme installed should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists due to improper validation and sanitization of user-controlled input in the setHomePage endpoint. An authenticated user can exploit this vulnerability to store an arbitrary homepage value, including an XSS payload, which can be executed in the browser context of the affected MISP instance.
Defensive priority
MEDIUM
Recommended defensive actions
- Update MISP to the latest version that includes the fix for this vulnerability.
- Ensure that the Overmind theme is updated to the latest version.
- Restrict access to the setHomePage endpoint to only authorized users.
- Implement additional security measures, such as input validation and output encoding, to prevent similar vulnerabilities.
Evidence notes
The CVE record for CVE-2026-54393 provides additional information about this vulnerability.
Official resources
-
CVE-2026-54393 CVE record
CVE.org
-
CVE-2026-54393 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
5a6e4751-2f3f-4070-9419-94fb35b644e8
CVE-2026-54393 was published on 2026-06-12T21:16:25.000Z.