Total
361824 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36212 | 1 Misp-project | 1 Misp | 2026-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view. | |||||
| CVE-2019-11812 | 1 Misp-project | 1 Misp | 2026-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the discussion interface, and can be triggered by clicking on the link. | |||||
| CVE-2026-10855 | 1 Misp-project | 1 Misp | 2026-06-22 | N/A | 4.3 MEDIUM |
| An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization. Successful exploitation could allow unauthorized modification of another organization’s event template, potentially altering template structure, attributes, or metadata used for subsequent event creation or sharing workflows. Site administrators are not affected by this restriction, as they are explicitly allowed to overwrite templates across organizations. The issue was fixed by enforcing an ownership check before overwrite: non-site-admin users may only overwrite templates owned by their own organization. | |||||
| CVE-2023-50918 | 1 Misp-project | 1 Misp | 2026-06-22 | N/A | 9.8 CRITICAL |
| app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs. | |||||
| CVE-2024-45509 | 1 Misp-project | 1 Misp | 2026-06-22 | N/A | 6.5 MEDIUM |
| In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin. | |||||
| CVE-2026-44379 | 1 Misp-project | 1 Misp | 2026-06-22 | N/A | 5.3 MEDIUM |
| MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers. This vulnerability is fixed in 2.5.37. | |||||
| CVE-2021-37534 | 1 Misp-project | 1 Misp | 2026-06-22 | 3.5 LOW | 5.4 MEDIUM |
| app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster. | |||||
| CVE-2024-58128 | 1 Misp-project | 1 Misp | 2026-06-22 | N/A | 5.5 MEDIUM |
| In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks via a global menu link. | |||||
| CVE-2020-8893 | 1 Misp-project | 1 Misp | 2026-06-22 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp. | |||||
| CVE-2022-27245 | 1 Misp-project | 1 Misp | 2026-06-22 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. | |||||
| CVE-2022-27246 | 1 Misp-project | 1 Misp | 2026-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default. | |||||
| CVE-2020-29006 | 1 Misp-project | 1 Misp | 2026-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php. | |||||
| CVE-2025-67906 | 1 Misp-project | 1 Misp | 2026-06-22 | N/A | 5.4 MEDIUM |
| In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path. | |||||
| CVE-2022-29532 | 1 Misp-project | 1 Misp | 2026-06-22 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it. | |||||
| CVE-2022-29530 | 1 Misp-project | 1 Misp | 2026-06-22 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters. | |||||
| CVE-2024-58129 | 1 Misp-project | 1 Misp | 2026-06-22 | N/A | 5.5 MEDIUM |
| In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin privileges can conduct XSS attacks against every page. | |||||
| CVE-2020-15711 | 1 Misp-project | 1 Misp | 2026-06-22 | 6.8 MEDIUM | 8.8 HIGH |
| In MISP before 2.4.129, setting a favourite homepage was not CSRF protected. | |||||
| CVE-2019-12868 | 1 Misp-project | 1 Misp | 2026-06-22 | 6.5 MEDIUM | 7.2 HIGH |
| app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization. | |||||
| CVE-2026-10854 | 1 Misp-project | 1 Misp | 2026-06-22 | N/A | 4.3 MEDIUM |
| A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies. | |||||
| CVE-2020-14969 | 1 Misp-project | 1 Misp | 2026-06-22 | 5.0 MEDIUM | 7.5 HIGH |
| app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | |||||