Skip to main content

MISP CVE-2026-8080

| EUVDEUVD-2026-28357 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 5a6e4751-2f3f-4070-9419-94fb35b644e8 GHSA-3v62-pvrh-853r
6.8
CVSS 4.0 · Vendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8
Share

Severity by source

Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green

Primary rating from Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8) · only source for this CVE.

CVSS VectorVendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch available
May 07, 2026 - 13:16 EUVD
Source Code Evidence Fetched
May 07, 2026 - 12:45 vuln.today
Analysis Generated
May 07, 2026 - 12:45 vuln.today
CVE Published
May 07, 2026 - 12:16 nvd
MEDIUM 6.8

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS.

This issue affects MISP before 2.5.37.

A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value.

This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38

AnalysisAI

Stored cross-site scripting in MISP before 2.5.37 allows authenticated users with template modification permissions to inject arbitrary JavaScript via unvalidated type and category fields in template element attributes. The vulnerability exploits insufficient input validation in the template element attribute handling logic, enabling attackers to store malicious payloads that execute in the browsers of other users viewing the affected templates. No public exploit code identified at time of analysis.

Technical ContextAI

The vulnerability resides in MISP's legacy templating engine (deprecated and removed in 2.5.38) within the TemplateElementAttribute model class. The application failed to validate user-supplied values for the 'type' and 'category' fields against the known MISP attribute type and category definitions before storing them in the database. Additionally, the AJAX template element edit view rendered these values directly into JavaScript without proper escaping or JSON encoding, creating a stored XSS vector. The underlying root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), compounded by unsafe direct output rendering in client-side JavaScript context. The fix (commit 62824e5) introduces server-side validation using ClassRegistry to load MispAttribute definitions and cross-check user input, and client-side remediation via json_encode() for proper JavaScript context escaping.

RemediationAI

Upgrade MISP to version 2.5.37 or later, which implements input validation for template element attribute type and category fields and adds proper JSON encoding for JavaScript context output. The fix can be obtained from the official MISP GitHub repository at https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0. For deployments unable to upgrade immediately, restrict template element attribute creation and modification to a minimal set of trusted administrators, and conduct a database audit for any existing template element attributes with suspicious type or category values using SQL queries against the TemplateElementAttribute table. Additionally, disable template functionality if not actively required for your threat intelligence workflow. Monitor MISP access logs for unauthorized attempts to create or modify template elements, and review browser console logs on analyst machines for XSS-related errors or unexpected script execution during template rendering. Note that the legacy templating engine is deprecated and will be removed in version 2.5.38, so this remediation is a transitional measure; plan a migration away from legacy templates as part of your MISP maintenance roadmap.

More in Misp

View all
CVE-2018-19908 HIGH POC
8.8 Dec 06

An issue was discovered in MISP 2.4.9x before 2.4.99. Rated high severity (CVSS 8.8), this vulnerability is remotely exp

CVE-2022-29528 CRITICAL POC
9.8 Apr 20

An issue was discovered in MISP before 2.4.158. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2022-48328 CRITICAL POC
9.8 Feb 20

app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_de

CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2022-29534 HIGH POC
7.5 Apr 20

An issue was discovered in MISP before 2.4.158. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab

CVE-2023-37306 HIGH POC
7.5 Jun 30

MISP 2.4.172 mishandles different certificate file extensions in server sync. Rated high severity (CVSS 7.5), this vulne

CVE-2021-41326 CRITICAL
9.8 Sep 17

In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. R

CVE-2018-12649 CRITICAL
9.8 Jun 22

An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. Rated critical severity (CVSS 9.8), this v

CVE-2020-15411 CRITICAL
9.8 Jun 30

An issue was discovered in MISP 2.4.128. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2020-29006 CRITICAL
9.8 Nov 24

MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyEleme

CVE-2021-35502 CRITICAL
9.8 Jun 25

app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data rel

CVE-2021-39302 CRITICAL
9.8 Aug 19

MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. Rated

Share

CVE-2026-8080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy