彙總 Misp 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
歷史漏洞主要涉及 跨站腳本與SQL 注入 等問題,部分漏洞可能導致 檔案覆寫,並影響 軟體部署與生產負載 相關場景。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-10864 | A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause the underlying query to fall back to returning unintended model fields. For the New Users widget, this could allow a non-site-admin user to obtain user e-mail addresses even when user e-mail disclosure | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.3 | 0.04% | 2026-06-04 | 2026-06-08 |
| CVE-2026-10863 | A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this could allow manipulation of database query ordering and potentially expose the application to unsafe query construction. The patch removes order f | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 6.4 | 0.03% | 2026-06-04 | 2026-06-08 |
| CVE-2026-10860 | A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that shoul | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 7.9 | 0.04% | 2026-06-04 | 2026-06-08 |
| CVE-2026-10861 | An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to incre | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.1 | 0.04% | 2026-06-04 | 2026-06-08 |
| CVE-2026-10856 | A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.1 | 0.04% | 2026-06-04 | 2026-06-08 |
| CVE-2026-10855 | An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization. Successful exploitation cou | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.1 | 0.04% | 2026-06-04 | 2026-06-08 |
| CVE-2026-10854 | A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxie | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.3 | 0.04% | 2026-06-04 | 2026-06-05 |
| CVE-2026-9137 | The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding. | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 5.1 | 0.06% | 2026-05-20 | 2026-06-02 |
| CVE-2026-9136 | A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 8.3 | 0.04% | 2026-05-20 | 2026-06-02 |
| CVE-2026-44381 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering | [email protected] | 9.3 | 0.05% | 2026-05-13 | 2026-05-15 |
| CVE-2026-44380 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges coul | [email protected] | 8.6 | 0.06% | 2026-05-13 | 2026-05-15 |
| CVE-2026-44379 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers. This vulnerability is fixed in 2.5.37. | [email protected] | 5.3 | 0.04% | 2026-05-13 | 2026-05-15 |
| CVE-2026-8080 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission t | 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 6.8 | 0.05% | 2026-05-07 | 2026-05-11 |
| CVE-2026-39962 | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints o | [email protected] | 8.8 | 0.11% | 2026-04-09 | 2026-04-23 |
| CVE-2025-67906 | In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path. | [email protected] | 5.4 | 0.03% | 2025-12-15 | 2025-12-21 |
| CVE-2024-58130 | In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON responses. | [email protected] | 7.2 | 0.22% | 2025-03-28 | 2025-07-15 |
| CVE-2024-58129 | In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. | [email protected] | 5.5 | 0.24% | 2025-03-28 | 2025-07-08 |
| CVE-2024-58128 | In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. | [email protected] | 5.5 | 0.24% | 2025-03-28 | 2025-07-08 |
| CVE-2024-57969 | app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search. | [email protected] | 4.3 | 0.12% | 2025-02-14 | 2025-07-09 |
| CVE-2024-46918 | app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org. | [email protected] | 4.9 | 0.08% | 2024-09-15 | 2025-03-13 |