PatchSiren

MISP CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL misp CVE published 2026-06-22

CVE-2026-56425

CVE-2026-56425 involves multiple weaknesses in the OAuth 2.0 authorization flow of Azure Active Directory (AAD) authentication implementation. These weaknesses could allow attackers to bypass important security guarantees provided by the protocol. The affected product or scope appears to be the AAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration). Defender exposure questions include [truncated]

HIGH misp CVE published 2026-06-22

CVE-2026-56424

CVE-2026-56424 involves multiple broken access-control flaws in the MISP core. These flaws allow lower-privileged authenticated users with relevant feature permissions to perform unauthorized actions, including cross-organization modifications or deletions of MISP data. This could result in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows. The CVSS score [truncated]

CRITICAL misp CVE published 2026-06-22

CVE-2026-56423

CVE-2026-56423 is a critical vulnerability in MISP Core's bulk deletion functionality. Affected handlers used broad role-level permissions instead of object-specific authorization checks. An authenticated attacker with relevant role permissions could delete Event Reports and Sharing Groups outside their organization's scope, leading to data loss across the instance.

CRITICAL misp CVE published 2026-06-22

CVE-2026-56422

CVE-2026-56422 is a critical vulnerability with a CVSS score of 9.4, affecting MISP core controllers and model capture paths. An authenticated user with access to one authorized object could submit crafted REST or form payloads, causing MISP to save data against a different object than the one checked by the authorization logic. This could lead to object overwrite, object re-parenting, ownership transfer, [truncated]

MEDIUM misp CVE published 2026-06-12

CVE-2026-54398

CVE-2026-54398 is a MEDIUM severity vulnerability in MISP, allowing an authenticated user to assign a MISP object or attributes to a sharing group without being authorized to use or view it. The flaw occurs due to incorrect sharing group validation when editing objects, enabling an attacker to potentially disclose non-visible sharing groups and modify distribution metadata.

MEDIUM misp CVE published 2026-06-12

CVE-2026-54397

A vulnerability in MISP's non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event's sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing group distribution, the non-REST save path accepted the submitted sharing_group_id without performing the same sharing group authoriz [truncated]

MEDIUM misp CVE published 2026-06-12

CVE-2026-54396

CVE-2026-54396 is an information disclosure vulnerability in the MISP AuthKey edit functionality. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.

MEDIUM misp CVE published 2026-06-12

CVE-2026-54395

CVE-2026-54395 is a reflected cross-site scripting (XSS) vulnerability in the MISP (Malware Information Sharing Platform) UiBeta event index view. The vulnerability arises from the improper handling of user-supplied input in the `urlparams` value, which is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Due to browser behavior, an attacker can craft [truncated]

MEDIUM misp CVE published 2026-06-12

CVE-2026-54394

CVE-2026-54394 is a path traversal vulnerability in MISP's OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended APP/files/img/orgs/ directory. An attacker able to influence an organisation field, for example the organisation name, could [truncated]

MEDIUM misp CVE published 2026-06-12

CVE-2026-54393

A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including [truncated]

MEDIUM misp CVE published 2026-06-12

CVE-2026-54362

CVE-2026-54362 is a vulnerability in the MISP (Malware Information Sharing Platform) event template builder. The issue arises from an incorrect visibility condition, which allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. This was due to a PHP comparison expression being used instead of a query condition in the custom access-control condit [truncated]

HIGH misp CVE published 2026-06-12

CVE-2026-54361

CVE-2026-54361 is a HIGH-severity vulnerability in MISP, a threat intelligence platform. The issue involves multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. These vulnerabilities could allow an authenticated attacker to craft requests containing protected fields, potentially altering object ownership, redirecting updates to [truncated]

HIGH misp CVE published 2026-06-12

CVE-2026-54360

A mass assignment vulnerability exists in MISP's sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one. An authenticated user with permission t [truncated]

HIGH misp CVE published 2026-06-12

CVE-2026-54359

CVE-2026-54359 is a HIGH severity vulnerability with a CVSS score of 7.1. The vulnerability exists in MISP due to an insecure default configuration where the Security.check_sec_fetch_site_header control is disabled. This allows a remote unauthenticated attacker to craft a malicious web page that causes an authenticated MISP user’s browser to issue cross-site requests to MISP automation endpoints. Successf [truncated]

HIGH misp CVE published 2026-06-12

CVE-2026-54358

CVE-2026-54358 is an incorrect authorization vulnerability in MISP that allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own organization but did not exclude accounts assigned a site administrator role from recipient que [truncated]

MEDIUM misp CVE published 2026-06-12

CVE-2026-54357

CVE-2026-54357 is an improper authorization vulnerability in MISP that allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organiza [truncated]

MEDIUM misp CVE published 2026-06-10

CVE-2026-53693

A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code. Several client-side rendering paths interpolated tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS style values without context-appropriate escaping. The patch adds shared escaping helpers for HTML, attributes, [truncated]

CRITICAL misp CVE published 2026-06-04

CVE-2026-10868

A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an uni [truncated]

MEDIUM misp CVE published 2026-06-04

CVE-2026-10864

A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. This could lead to disclosure of restricted user or organisation metadata, including user e-mail addresses depending on configuration.

MEDIUM misp CVE published 2026-06-04

CVE-2026-10863

A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this could allow manipulation of database query ordering and p [truncated]

HIGH misp CVE published 2026-06-04

CVE-2026-10860

CVE-2026-10860 is a HIGH severity vulnerability with a CVSS score of 7.9. The vulnerability exists in the MISP CRUD component delete handler, where a logic error allowed validation failures to be bypassed when requests used the HTTP DELETE method. This was due to missing parentheses in the delete condition, causing the expression to be evaluated incorrectly. An authenticated attacker with access to an aff [truncated]

MEDIUM misp CVE published 2026-06-04

CVE-2026-10861

CVE-2026-10861 is an open redirect vulnerability in MISP UsersController::routeafterlogin(). An unauthenticated remote attacker could craft a link to redirect a victim to an attacker-controlled external URL after successful authentication, potentially increasing the credibility of phishing attacks or delivering attacker-controlled content. The vulnerability is described as CWE-601, which involves acceptin [truncated]

MEDIUM misp CVE published 2026-06-04

CVE-2026-10856

A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /<wbr>example.com. Some browsers normalize backslashes in [truncated]

MEDIUM misp CVE published 2026-06-04

CVE-2026-10855

An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcib [truncated]

MEDIUM misp CVE published 2026-06-04

CVE-2026-10854

A visibility control issue was discovered in the event template creation workflow of MISP, allowing non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who shou [truncated]

MEDIUM misp CVE published 2026-05-28

CVE-2026-9806

A stored cross-site scripting (XSS) vulnerability in CTI Transmute's notification panel allowed JavaScript injection via unsanitized convert names rendered with innerHTML. The vulnerability was confined to a development branch and has been remediated by switching to DOM construction methods with textContent assignment.

MEDIUM misp CVE published 2026-05-20

CVE-2026-9137

CVE-2026-9137 is a medium-severity availability issue (CVSS 5.1) in a CSP report endpoint. The endpoint was intended to limit logged CSP reports to 1 KB, but the supplied source indicates it incorrectly allowed reports up to 1 MB before truncation. If the endpoint is reachable by untrusted clients, an attacker could drive excessive log volume and contribute to resource exhaustion or log flooding.

MEDIUM misp CVE published 2026-05-20

CVE-2026-9084

CVE-2026-9084 describes an authentication weakness in MISP’s OIDC plugin where an OIDC identity could be automatically linked to an existing local user account using the email claim if that account did not already have a stored sub value. In environments where the identity provider does not strongly enforce email ownership or is otherwise untrusted, a valid OIDC token asserting a victim’s email address co [truncated]

MEDIUM MISP CVE published 2026-05-13

CVE-2026-44379

CVE-2026-44379 is a medium-severity vulnerability in MISP Collections that did not enforce RFC 4122 UUID validation on the uuid field prior to version 2.5.37. This oversight allowed users with the ability to create or modify Collection records to submit malformed UUID values, potentially causing integrity issues or unexpected behavior in code paths that assume Collection UUIDs are valid identifiers. The v [truncated]

HIGH MISP CVE published 2026-04-09

CVE-2026-39962

CVE-2026-39962 is a high-severity LDAP injection vulnerability in the MISP (Malware Information Sharing Platform) open-source threat intelligence and sharing platform. The issue, fixed in version 2.5.36, arises from improper neutralization of special elements in an LDAP query within the ApacheAuthenticate.php file. This allows an attacker to manipulate the LDAP search filter by controlling the username va [truncated]