Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Primary rating from Vendor (CIRCL) · only source for this CVE.
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Lifecycle Timeline
4DescriptionCVE.org
A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. In addition, the generated href concatenated the reconstructed URL with the original URL, increasing the possibility of unsafe or malformed link generation.
An attacker able to configure or influence a dashboard button URL could craft a button that appears to point inside the application but redirects users to an attacker-controlled site when clicked. This could be used for phishing, credential theft, or social engineering. The patch fixes the issue by rejecting empty paths and paths starting with /\, and by emitting only the reconstructed validated URL in the anchor href.
AnalysisAI
Open redirect in MISP's dashboard button widget (versions up to and including 2.5.38) enables an authenticated, high-privileged user who controls dashboard configuration to plant a crafted button URL that appears to point internally but redirects clicking users to an attacker-controlled external site. The root cause is an incomplete URL allowlist in Button.ctp that blocked explicit schemes, hosts, and user components but did not reject paths beginning with /\ - a pattern several browsers normalize into a scheme-relative URL (i.e., //attacker.com). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a MISP account with high-level privileges sufficient to configure dashboard button widgets (PR:H per CVSS 4.0 vector) - this is not a default low-privilege user capability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.1 with vector AV:N/AC:L/AT:N/PR:H/UI:N reflects network-reachable exploitation requiring high-level authentication (PR:H) and no additional attack prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or legitimately holds a high-privileged MISP account navigates to the dashboard configuration and creates or modifies a button widget, setting its URL to /\attacker.com/credential-harvest. The button renders in the shared MISP dashboard appearing as a benign internal link; when an analyst clicks it, their browser normalizes the backslash to a forward slash and resolves //attacker.com/credential-harvest as an external HTTPS navigation, delivering the analyst to a phishing page styled to match the MISP login screen. … |
| Remediation | The upstream fix is available in MISP commit f879f16fb5db7a9aab0a70fdcafea12ce4847e9a, which modifies Button.ctp to reject empty paths and any path whose second character is a backslash, and also removes the double-concatenation of betterUrl and $url in the anchor href. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allGFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redire
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that aut
mailcow: dockerized is an open source groupware/email suite based on docker. Rated high severity (CVSS 7.1), this vulner
In Zucchetti Ad Hoc Infinity 2.4, an improper check on the m_cURL parameter allows an attacker to redirect the victim to
A flaw was found in Yelp. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication
WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) pro
A denial of service vulnerability in GitLab CE/EE affecting all (CVSS 7.5) that allows an attacker. Risk factors: public
Dedecms 5.71sp1 and earlier is vulnerable to URL redirect. Rated medium severity (CVSS 6.5), this vulnerability is remot
The WPMobile.App plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 11.56. Rated
Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes th
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34262
GHSA-rx96-8w86-5hhh