Skip to main content
CVE-2025-67906 CRITICAL PATCH Act Now

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated users with workflow privileges to inject arbitrary JavaScript via the workflow execution path view (executionPath.ctp), where doT.js template expressions used unescaped interpolation. Successful exploitation against a user who views the affected page (UI:R) results in scope-changed compromise of the victim's MISP session, including high-confidentiality/integrity/availability impact (CVSS 9.0). Publicly available exploit code exists in researcher-published repositories; no CISA KEV listing at time of analysis.

XSS Misp
NVD GitHub
CVSS 3.1
9.0
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy