Skip to main content

MISP CVE-2026-9137

| EUVDEUVD-2026-31155 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-20 CIRCL GHSA-gfvj-j222-m85v
5.1
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (CIRCL) · only source for this CVE.

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 20, 2026 - 20:06 vuln.today
Analysis Generated
May 20, 2026 - 20:06 vuln.today

DescriptionCVE.org

The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.

AnalysisAI

MISP's CSP report endpoint in versions 2.5.0 through 2.5.37 accepts payloads up to 1 MB per report instead of the developer-intended 1 KB limit, due to a 1,024x magnitude error in the truncation guard (1024 * 1024 instead of 1024). On deployments where the endpoint is reachable by untrusted clients, unauthenticated remote parties (per CVSS PR:N) can abuse this discrepancy to flood application logs with oversized reports, contributing to disk exhaustion or log integrity degradation. No public exploit code exists and active exploitation has not been confirmed; the CVSS 4.0 score of 5.1 (Low-Medium) reflects the limited, availability-only impact.

Technical ContextAI

MISP (Malware Information Sharing Platform) is an open-source threat intelligence sharing platform written in PHP using the CakePHP framework. The vulnerable code resides in app/Controller/ServersController.php within the cspReport() method, which receives Content Security Policy violation reports from browsers. CWE-400 (Uncontrolled Resource Consumption) describes the root cause: the truncation condition used strlen($report) > 1024 * 1024 (evaluating to 1,048,576 bytes / 1 MB) while the inline comment correctly stated the intent was to limit reports to 1 KB (1024 bytes). This 1,024x discrepancy means each logged CSP report could consume up to 1 MB of log space rather than the intended 1 KB. The affected CPE is cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:* covering the version range 2.5.0 through 2.5.37.

RemediationAI

The upstream fix is available via GitHub commit 02932cccab230b295afcaf5aa05e363d30db0ec9, which corrects the truncation guard from strlen($report) > 1024 * 1024 to strlen($report) > 1024. This fix was reported as 'patch available from vendor' per the source intelligence, but a specific tagged release version incorporating this commit has not been independently confirmed from the available data - operators should verify against the MISP release changelog or ENISA EUVD-2026-31155. As a compensating control where patching is not immediately possible, network-level access controls should be applied to restrict who can POST to the /servers/cspReport endpoint, limiting it to known browser clients or internal networks only - this directly addresses the 'reachable by untrusted clients' prerequisite. Additionally, log rotation policies with size caps can reduce the blast radius of log flooding. Monitoring for unusually large POST bodies to this endpoint can serve as a detection signal.

More in Misp

View all
CVE-2018-19908 HIGH POC
8.8 Dec 06

An issue was discovered in MISP 2.4.9x before 2.4.99. Rated high severity (CVSS 8.8), this vulnerability is remotely exp

CVE-2022-29528 CRITICAL POC
9.8 Apr 20

An issue was discovered in MISP before 2.4.158. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2022-48328 CRITICAL POC
9.8 Feb 20

app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_de

CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2022-29534 HIGH POC
7.5 Apr 20

An issue was discovered in MISP before 2.4.158. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab

CVE-2023-37306 HIGH POC
7.5 Jun 30

MISP 2.4.172 mishandles different certificate file extensions in server sync. Rated high severity (CVSS 7.5), this vulne

CVE-2021-41326 CRITICAL
9.8 Sep 17

In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. R

CVE-2018-12649 CRITICAL
9.8 Jun 22

An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. Rated critical severity (CVSS 9.8), this v

CVE-2020-15411 CRITICAL
9.8 Jun 30

An issue was discovered in MISP 2.4.128. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2020-29006 CRITICAL
9.8 Nov 24

MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyEleme

CVE-2021-35502 CRITICAL
9.8 Jun 25

app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data rel

CVE-2021-39302 CRITICAL
9.8 Aug 19

MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. Rated

Share

CVE-2026-9137 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy