Skip to main content

MISP EUVDEUVD-2026-36564

| CVE-2026-54395 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-12 CIRCL GHSA-53gc-pj4j-m2pq
5.3
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Reflected XSS requires victim to follow crafted link (UI:R); PR:L matches authenticated MISP context; S:C because JavaScript executes in victim's browser under MISP origin.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 21:25 vuln.today
Analysis Generated
Jun 12, 2026 - 21:25 vuln.today

DescriptionCVE.org

MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim’s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.

AnalysisAI

Reflected XSS in MISP's UiBeta event index view allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL with a specially encoded searcheventinfo parameter. The vulnerability exploits a double-encoding flaw: the PHP template applies only HTML escaping (h()) to the urlparams value placed inside a single-quoted JavaScript string in an onclick attribute, but browsers HTML-decode attribute values before JavaScript parsing - restoring encoded quote characters (' → ') and enabling string breakout. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker authenticates to MISP instance
Delivery
Crafts event index URL with XSS payload in searcheventinfo parameter
Exploit
Delivers malicious URL to authenticated victim via phishing or internal message
Execution
Victim opens URL in UiBeta event index view
Persist
Browser HTML-decodes onclick attribute, restoring injected quote character
Impact
Arbitrary JavaScript executes in victim's browser under MISP origin

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: first, the targeted victim must be authenticated to the MISP instance (the event index is not accessible without login); second, the victim must be using the UiBeta theme, which is not the default MISP interface and must be explicitly enabled; third, the victim must follow a crafted URL containing the malicious searcheventinfo value, meaning the attacker must deliver this URL through phishing, chat, or another social engineering channel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) reflects the limited confidentiality and integrity impact (VC:L/VI:L) and the authenticated access requirement (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker constructs a MISP event index URL where the searcheventinfo parameter contains a payload such as ';alert(document.cookie);// designed to break out of the single-quoted JavaScript string in the onclick handler. The attacker sends this URL to a MISP analyst who is also authenticated; when the analyst visits the link with the UiBeta theme active, the browser HTML-decodes the onclick attribute value before JavaScript execution, restoring the injected quote, and the payload runs as JavaScript in the MISP origin - enabling session theft or action-on-behalf-of attacks. …
Remediation The primary remediation is to apply the upstream fix from commit b865deb036ca82dab272be260798f562034ba9ae (https://github.com/MISP/MISP/commit/b865deb036ca82dab272be260798f562034ba9ae), which replaces h($urlparams) with h(json_encode($urlparams)) in app/View/Themed/UiBeta/Events/index.ctp. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

Share

EUVD-2026-36564 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy