Skip to main content

MISP CVE-2026-10856

| EUVDEUVD-2026-34262 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-06-04 CIRCL GHSA-rx96-8w86-5hhh
5.1
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green

Primary rating from Vendor (CIRCL) · only source for this CVE.

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 04, 2026 - 16:24 vuln.today
Analysis Generated
Jun 04, 2026 - 16:24 vuln.today
CVSS changed
Jun 04, 2026 - 14:22 NVD
5.1 (MEDIUM)
CVE Published
Jun 04, 2026 - 13:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. In addition, the generated href concatenated the reconstructed URL with the original URL, increasing the possibility of unsafe or malformed link generation.

An attacker able to configure or influence a dashboard button URL could craft a button that appears to point inside the application but redirects users to an attacker-controlled site when clicked. This could be used for phishing, credential theft, or social engineering. The patch fixes the issue by rejecting empty paths and paths starting with /\, and by emitting only the reconstructed validated URL in the anchor href.

AnalysisAI

Open redirect in MISP's dashboard button widget (versions up to and including 2.5.38) enables an authenticated, high-privileged user who controls dashboard configuration to plant a crafted button URL that appears to point internally but redirects clicking users to an attacker-controlled external site. The root cause is an incomplete URL allowlist in Button.ctp that blocked explicit schemes, hosts, and user components but did not reject paths beginning with /\ - a pattern several browsers normalize into a scheme-relative URL (i.e., //attacker.com). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker authenticates with high-privileged MISP account
Delivery
Configures dashboard button widget with /\attacker.com payload
Exploit
Malicious button renders in shared analyst dashboard
Execution
Victim analyst clicks button link
Persist
Browser normalizes /\ to scheme-relative external URL
Impact
Victim navigated to attacker-controlled phishing site

Vulnerability AssessmentAI

Exploitation The attacker must hold a MISP account with high-level privileges sufficient to configure dashboard button widgets (PR:H per CVSS 4.0 vector) - this is not a default low-privilege user capability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.1 with vector AV:N/AC:L/AT:N/PR:H/UI:N reflects network-reachable exploitation requiring high-level authentication (PR:H) and no additional attack prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or legitimately holds a high-privileged MISP account navigates to the dashboard configuration and creates or modifies a button widget, setting its URL to /\attacker.com/credential-harvest. The button renders in the shared MISP dashboard appearing as a benign internal link; when an analyst clicks it, their browser normalizes the backslash to a forward slash and resolves //attacker.com/credential-harvest as an external HTTPS navigation, delivering the analyst to a phishing page styled to match the MISP login screen. …
Remediation The upstream fix is available in MISP commit f879f16fb5db7a9aab0a70fdcafea12ce4847e9a, which modifies Button.ctp to reject empty paths and any path whose second character is a backslash, and also removes the double-concatenation of betterUrl and $url in the anchor href. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2025-4123 HIGH POC
7.6 May 22

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redire

CVE-2025-31491 HIGH POC
8.6 Apr 15

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that aut

CVE-2025-25198 HIGH POC
7.1 Feb 12

mailcow: dockerized is an open source groupware/email suite based on docker. Rated high severity (CVSS 7.1), this vulner

CVE-2024-51321 HIGH POC
7.6 Mar 11

In Zucchetti Ad Hoc Infinity 2.4, an improper check on the m_cURL parameter allows an attacker to redirect the victim to

CVE-2025-3155 HIGH POC
7.4 Apr 03

A flaw was found in Yelp. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication

CVE-2025-68616 HIGH POC
7.5 Jan 19

WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) pro

CVE-2025-0673 HIGH POC
7.5 Jun 12

A denial of service vulnerability in GitLab CE/EE affecting all (CVSS 7.5) that allows an attacker. Risk factors: public

CVE-2024-57241 MEDIUM POC
6.5 Feb 11

Dedecms 5.71sp1 and earlier is vulnerable to URL redirect. Rated medium severity (CVSS 6.5), this vulnerability is remot

CVE-2024-13888 HIGH POC
7.2 Feb 20

The WPMobile.App plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 11.56. Rated

CVE-2026-25649 HIGH POC
7.3 Feb 23

Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes th

Share

CVE-2026-10856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy