Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Primary rating from Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8) · only source for this CVE.
CVSS VectorVendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS.
This issue affects MISP before 2.5.37.
A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value.
This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38
AnalysisAI
Stored cross-site scripting in MISP before 2.5.37 allows authenticated users with template modification permissions to inject arbitrary JavaScript via unvalidated type and category fields in template element attributes. The vulnerability exploits insufficient input validation in the template element attribute handling logic, enabling attackers to store malicious payloads that execute in the browsers of other users viewing the affected templates. No public exploit code identified at time of analysis.
Technical ContextAI
The vulnerability resides in MISP's legacy templating engine (deprecated and removed in 2.5.38) within the TemplateElementAttribute model class. The application failed to validate user-supplied values for the 'type' and 'category' fields against the known MISP attribute type and category definitions before storing them in the database. Additionally, the AJAX template element edit view rendered these values directly into JavaScript without proper escaping or JSON encoding, creating a stored XSS vector. The underlying root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), compounded by unsafe direct output rendering in client-side JavaScript context. The fix (commit 62824e5) introduces server-side validation using ClassRegistry to load MispAttribute definitions and cross-check user input, and client-side remediation via json_encode() for proper JavaScript context escaping.
RemediationAI
Upgrade MISP to version 2.5.37 or later, which implements input validation for template element attribute type and category fields and adds proper JSON encoding for JavaScript context output. The fix can be obtained from the official MISP GitHub repository at https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0. For deployments unable to upgrade immediately, restrict template element attribute creation and modification to a minimal set of trusted administrators, and conduct a database audit for any existing template element attributes with suspicious type or category values using SQL queries against the TemplateElementAttribute table. Additionally, disable template functionality if not actively required for your threat intelligence workflow. Monitor MISP access logs for unauthorized attempts to create or modify template elements, and review browser console logs on analyst machines for XSS-related errors or unexpected script execution during template rendering. Note that the legacy templating engine is deprecated and will be removed in version 2.5.38, so this remediation is a transitional measure; plan a migration away from legacy templates as part of your MISP maintenance roadmap.
An issue was discovered in MISP 2.4.9x before 2.4.99. Rated high severity (CVSS 8.8), this vulnerability is remotely exp
An issue was discovered in MISP before 2.4.158. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_de
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
An issue was discovered in MISP before 2.4.158. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
MISP 2.4.172 mishandles different certificate file extensions in server sync. Rated high severity (CVSS 7.5), this vulne
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. R
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. Rated critical severity (CVSS 9.8), this v
An issue was discovered in MISP 2.4.128. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyEleme
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data rel
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. Rated
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28357
GHSA-3v62-pvrh-853r