CVE-2026-54393

EPSS 0.38%
Veröffentlicht 12.06.2026 20:21:48
Zuletzt bearbeitet 15.06.2026 20:46:57
Quelle 5a6e4751-2f3f-4070-9419-94fb35
CVE-Watchlists
Login
Unerledigt
Login

MISP Overmind theme stored XSS via unvalidated homepage setting

A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload.

The stored value was later rendered in app/View/News/index.ctp as the href attribute of the “Continue to homepage” link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with.

The issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellermisp

≫

Produkt misp

Default Statusunaffected

Version 0

Version < 2.5.40

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.293

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
5a6e4751-2f3f-4070-9419-94fb35b644e8	5.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/MISP/MISP/commit/d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2

https://nvd.nist.gov/vuln/detail/CVE-2026-54393

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-54393

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-54393

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-54393