Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Reflected XSS requires victim to follow crafted link (UI:R); PR:L matches authenticated MISP context; S:C because JavaScript executes in victim's browser under MISP origin.
Primary rating from Vendor (CIRCL).
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim’s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.
AnalysisAI
Reflected XSS in MISP's UiBeta event index view allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL with a specially encoded searcheventinfo parameter. The vulnerability exploits a double-encoding flaw: the PHP template applies only HTML escaping (h()) to the urlparams value placed inside a single-quoted JavaScript string in an onclick attribute, but browsers HTML-decode attribute values before JavaScript parsing - restoring encoded quote characters (' → ') and enabling string breakout. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: first, the targeted victim must be authenticated to the MISP instance (the event index is not accessible without login); second, the victim must be using the UiBeta theme, which is not the default MISP interface and must be explicitly enabled; third, the victim must follow a crafted URL containing the malicious searcheventinfo value, meaning the attacker must deliver this URL through phishing, chat, or another social engineering channel. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) reflects the limited confidentiality and integrity impact (VC:L/VI:L) and the authenticated access requirement (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker constructs a MISP event index URL where the searcheventinfo parameter contains a payload such as ';alert(document.cookie);// designed to break out of the single-quoted JavaScript string in the onclick handler. The attacker sends this URL to a MISP analyst who is also authenticated; when the analyst visits the link with the UiBeta theme active, the browser HTML-decodes the onclick attribute value before JavaScript execution, restoring the injected quote, and the payload runs as JavaScript in the MISP origin - enabling session theft or action-on-behalf-of attacks. … |
| Remediation | The primary remediation is to apply the upstream fix from commit b865deb036ca82dab272be260798f562034ba9ae (https://github.com/MISP/MISP/commit/b865deb036ca82dab272be260798f562034ba9ae), which replaces h($urlparams) with h(json_encode($urlparams)) in app/View/Themed/UiBeta/Events/index.ctp. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to
Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o
Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u
LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu
Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio
OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36564
GHSA-53gc-pj4j-m2pq