Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code. Several client-side rendering paths interpolated tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS style values without context-appropriate escaping. The patch adds shared escaping helpers for HTML, attributes, JavaScript strings, and CSS color validation, then applies them across tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards.
An attacker able to create or influence stored tag or metadata values could inject a crafted payload that is later rendered in another user’s browser. Successful exploitation could execute arbitrary JavaScript in the victim’s session when they view affected BSimVis pages, potentially allowing the attacker to perform actions as the victim, read data available to the victim, or alter displayed application content.
This issue affects MISP bsimvis: through v0.2.0.
AnalysisAI
Stored cross-site scripting in MISP BSimVis through v0.2.0 allows network-accessible attackers who can create or influence tag names, collection names, entity identifiers, cluster names, or tag metadata to inject malicious payloads that execute in victims' browsers. The vulnerability spans multiple client-side rendering paths in tags.js, where user-controlled values were interpolated raw into innerHTML, HTML attributes, inline JavaScript event handlers, and CSS style values - covering tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards. No public exploit has been identified at time of analysis; the issue was reported and patched by CIRCL, the primary MISP development organization.
Technical ContextAI
BSimVis is a browser-side visualization component for MISP (Malware Information Sharing Platform), a widely deployed threat intelligence sharing platform used in security operations. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), manifesting across multiple distinct injection sinks in tags.js. Tag names were interpolated into innerHTML via template literals (e.g., <b>${tag}</b>), CSS color fields from metadata were written directly into style attributes without validation, and collection/cluster identifiers were inserted into context menu HTML and tooltip content. The patch introduces four context-aware escaping helpers: escapeHtml() replacing &, <, >, ', and " with HTML entities; escapeAttr() aliased to escapeHtml for attribute contexts; jsString() using JSON.stringify plus additional Unicode escaping for JS string contexts (\u003C, \u003E, \u0026, \u2028, \u2029); and safeCssColor() applying regex allowlisting for hex, rgb/rgba, and hsl/hsla formats before writing color values to CSS. The affected CPE is cpe:2.3:a:misp:bsimvis:*:*:*:*:*:*:*:* covering all versions through v0.2.0.
RemediationAI
Upgrade MISP BSimVis to a version incorporating commit 7bcd2c2e27647dccdfb71877e905fbb032124a63, available at https://github.com/MISP/bsimvis/commit/7bcd2c2e27647dccdfb71877e905fbb032124a63; verify with the MISP project whether this has been released as a tagged version above v0.2.0. As a compensating control prior to patching, restrict BSimVis page access to a minimally trusted user population and enforce strict controls on who can create or modify tags, collection names, entity identifiers, cluster names, and tag color metadata - reducing the attacker's injection surface. Audit existing stored tag data for suspicious values containing patterns such as script tags, javascript: URIs, or inline event handler strings (onerror=, onload=, etc.). Note that access restriction does not eliminate risk from insider threats or accounts compromised through other means; patching remains the only complete remediation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36051
GHSA-m277-g9rj-mm6h