Skip to main content

MISP CVE-2025-67906

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2025-12-15 cve@mitre.org
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.0 CRITICAL

Network-reachable web UI (AV:N), straightforward injection (AC:L), requires authenticated workflow-editor account (PR:L), needs victim to load page (UI:R), script crosses session/authorization boundary (S:C) with full session compromise.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 20:30 vuln.today
Analysis Generated
Jun 22, 2026 - 20:30 vuln.today

DescriptionNVD

In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.

AnalysisAI

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated users with workflow privileges to inject arbitrary JavaScript via the workflow execution path view (executionPath.ctp), where doT.js template expressions used unescaped interpolation. Successful exploitation against a user who views the affected page (UI:R) results in scope-changed compromise of the victim's MISP session, including high-confidentiality/integrity/availability impact (CVSS 9.0). Publicly available exploit code exists in researcher-published repositories; no CISA KEV listing at time of analysis.

Technical ContextAI

MISP is an open-source threat intelligence sharing platform written in PHP (CakePHP) with client-side templating provided by doT.js. In doT.js, the {{=expr}} syntax performs raw, unescaped interpolation, while {{!expr}} HTML-encodes the value. The pre-patch executionPath.ctp template rendered workflow node attributes (icon, icon_class, icon_path, name) through {{=}}, so any attacker-influenced workflow metadata was injected verbatim into the DOM - a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. The affected CPE is cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:* covering all builds prior to 2.5.28.

RemediationAI

Vendor-released patch: upgrade to MISP 2.5.28 or later, which replaces unsafe doT.js {{=}} interpolation with HTML-escaped {{!}} interpolation in the workflow execution path template (fix commit https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054, release diff https://github.com/MISP/MISP/compare/v2.5.27...v2.5.28). If immediate upgrade is not feasible, restrict the workflow_user / site_admin roles to a minimum set of trusted operators so untrusted users cannot author workflow node metadata, audit existing workflows for suspicious icon/name fields, and consider deploying a Content Security Policy that disallows inline scripts on the MISP UI - note this may break other MISP UI components that rely on inline script and should be validated in staging. As a last resort, disabling the workflows feature in config.php prevents access to the vulnerable view but removes legitimate automation functionality.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

CVE-2026-10860 HIGH
7.9 Jun 04

Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev

Share

CVE-2025-67906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy