Aggregates CVE and security vulnerability intelligence across all Misp-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk ssrf and vendor risk csrf and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-9137 | The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding. | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.1 | 0.06% | 2026-05-20 | 2026-06-02 |
| CVE-2026-9136 | A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 8.3 | 0.04% | 2026-05-20 | 2026-06-02 |
| CVE-2026-44381 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering | [email protected] | 9.3 | 0.05% | 2026-05-13 | 2026-05-15 |
| CVE-2026-44380 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges coul | [email protected] | 8.6 | 0.06% | 2026-05-13 | 2026-05-15 |
| CVE-2026-44379 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers. This vulnerability is fixed in 2.5.37. | [email protected] | 5.3 | 0.04% | 2026-05-13 | 2026-05-15 |
| CVE-2026-8080 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission t | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 6.8 | 0.05% | 2026-05-07 | 2026-05-11 |
| CVE-2026-39962 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints o | [email protected] | 8.8 | 0.11% | 2026-04-09 | 2026-04-23 |
| CVE-2025-67906 | In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path. | [email protected] | 5.4 | 0.03% | 2025-12-15 | 2025-12-21 |
| CVE-2024-58130 | In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses. | [email protected] | 7.2 | 0.22% | 2025-03-28 | 2025-07-15 |
| CVE-2024-58129 | In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. | [email protected] | 5.5 | 0.24% | 2025-03-28 | 2025-07-08 |
| CVE-2024-58128 | In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. | [email protected] | 5.5 | 0.24% | 2025-03-28 | 2025-07-08 |
| CVE-2024-57969 | app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search. | [email protected] | 4.3 | 0.12% | 2025-02-14 | 2025-07-09 |
| CVE-2024-46918 | app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org. | [email protected] | 4.9 | 0.08% | 2024-09-15 | 2025-03-13 |
| CVE-2024-45509 | In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin. | [email protected] | 6.5 | 0.10% | 2024-09-01 | 2024-09-04 |
| CVE-2024-29859 | In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload. | [email protected] | 9.8 | 0.09% | 2024-03-21 | 2025-03-05 |
| CVE-2024-29858 | In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload. | [email protected] | 9.8 | 0.08% | 2024-03-21 | 2025-06-17 |
| CVE-2024-25675 | An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp. | [email protected] | 9.8 | 0.11% | 2024-02-09 | 2025-06-16 |
| CVE-2024-25674 | An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. | [email protected] | 9.8 | 0.11% | 2024-02-09 | 2024-11-21 |
| CVE-2023-50918 | app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs. | [email protected] | 9.8 | 0.23% | 2023-12-15 | 2024-11-21 |
| CVE-2023-49926 | app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget. | [email protected] | 6.1 | 0.10% | 2023-12-03 | 2024-11-21 |