汇总 misp-project 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
历史漏洞主要涉及 跨站脚本与SQL 注入 等问题,部分漏洞可能导致 数据泄露,并影响 软件部署与生产负载 相关场景。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-56447 | MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or a | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 9.3 | 0.30% | 2026-06-22 | 2026-06-23 |
| CVE-2026-56446 | MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process. The fix restricts log destinations | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 8.7 | 0.38% | 2026-06-22 | 2026-06-23 |
| CVE-2026-56425 | The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer heade | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 9.3 | 0.30% | 2026-06-22 | 2026-06-26 |
| CVE-2026-56424 | MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user’s organization. The affected paths included: * Ev | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 7.1 | 0.36% | 2026-06-22 | 2026-06-23 |
| CVE-2026-56423 | MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For Event Reports, EventReportsController::deleteSelection relied on the global perm_add capability rather than a per-report ownership/authorization check. As a result, a contributor-level user could submit report IDs or UUIDs for | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 9.4 | 0.26% | 2026-06-22 | 2026-06-23 |
| CVE-2026-10864 | A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause the underlying query to fall back to returning unintended model fields. For the New Users widget, this could allow a non-site-admin user to obtain user e-mail addresses even when user e-mail disclosure | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.3 | 0.18% | 2026-06-04 | 2026-06-22 |
| CVE-2026-10863 | A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this could allow manipulation of database query ordering and potentially expose the application to unsafe query construction. The patch removes order f | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 6.4 | 0.22% | 2026-06-04 | 2026-06-22 |
| CVE-2026-10860 | A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that shoul | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 7.9 | 0.20% | 2026-06-04 | 2026-06-22 |
| CVE-2026-10861 | An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to incre | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.1 | 0.22% | 2026-06-04 | 2026-06-22 |
| CVE-2026-10856 | A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.1 | 0.15% | 2026-06-04 | 2026-06-22 |
| CVE-2026-10855 | An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization. Successful exploitation cou | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.1 | 0.15% | 2026-06-04 | 2026-06-22 |
| CVE-2026-10854 | A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxie | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.3 | 0.18% | 2026-06-04 | 2026-06-22 |
| CVE-2026-10611 | An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge. As a result, an attacker with valid primary authentication credentials could | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 8.2 | 0.36% | 2026-06-02 | 2026-06-22 |
| CVE-2026-9137 | The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding. | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.1 | 0.36% | 2026-05-20 | 2026-06-22 |
| CVE-2026-9136 | A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 8.3 | 0.23% | 2026-05-20 | 2026-06-22 |
| CVE-2026-44381 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering | [email protected] | 9.3 | 0.54% | 2026-05-13 | 2026-06-22 |
| CVE-2026-44380 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges coul | [email protected] | 8.6 | 0.40% | 2026-05-13 | 2026-06-22 |
| CVE-2026-44379 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers. This vulnerability is fixed in 2.5.37. | [email protected] | 5.3 | 0.18% | 2026-05-13 | 2026-06-22 |
| CVE-2026-8080 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission t | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 6.8 | 0.14% | 2026-05-07 | 2026-06-22 |
| CVE-2026-39962 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints o | [email protected] | 8.8 | 0.34% | 2026-04-09 | 2026-06-22 |