Skip to main content

MISP CVE-2026-54393

| EUVDEUVD-2026-36581 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-12 CIRCL GHSA-4hg7-5g9q-5922
5.1
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Authenticated attacker required (PR:L); victim must click crafted link (UI:R); XSS executes across browser scope boundary (S:C); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 21:26 vuln.today
Analysis Generated
Jun 12, 2026 - 21:26 vuln.today

DescriptionCVE.org

A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload.

The stored value was later rendered in app/View/News/index.ctp as the href attribute of the “Continue to homepage” link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with.

The issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view.

AnalysisAI

Stored cross-site scripting in MISP's setHomePage endpoint allows an authenticated user to persist an arbitrary JavaScript payload as their homepage setting when the Overmind theme is active, which later executes in any victim's browser upon viewing the News page and clicking the "Continue to homepage" link. The root cause is a theme-conditional code path in UserSettingsController that called setSettingInternal() directly, bypassing the validate_homepage validator that enforces a leading slash on path values, combined with an unescaped output sink in app/View/News/index.ctp. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to target MISP instance
Delivery
Submit crafted XSS path to setHomePage endpoint
Exploit
setSettingInternal() bypasses validate_homepage
Install
Payload persisted to database
C2
Victim loads MISP News page
Execute
Victim clicks unescaped href link
Impact
Attacker JavaScript executes in victim browser context

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated account on the target MISP instance - the provided CVSS 4.0 vector's PR:N is inconsistent with this requirement and should be treated with caution pending vendor clarification; the analyst assesses PR:L as the accurate metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 score is 5.1 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:A. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated MISP user with the Overmind theme active submits a crafted POST request to the setHomePage endpoint with a path value of javascript:alert(document.cookie) or a more sophisticated payload that exfiltrates the session token to an attacker-controlled server. The value is stored without validation due to the setSettingInternal() bypass. …
Remediation Apply the upstream fix from commit d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2 (https://github.com/MISP/MISP/commit/d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2), which routes all setHomePage calls through setSetting() regardless of active theme and adds h() HTML-escaping to the homepage href rendering in the news view. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

Share

CVE-2026-54393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy