CVE-2026-8080
published 2026-05-07CVE-2026-8080: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.14%
3.7th percentile
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS.
This issue affects MISP before 2.5.37.
A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value.
This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aborruso | ckan-mcp-server | >= 0 < 0.4.85 | 0.4.85 |
| devcode-it | openstamanager | 0 – 2.9.8 | — |
| github.com | bishopfox_sliver | >= 0 < 1.7.4 | 1.7.4 |
| misp-project | misp | < 2.5.37 | 2.5.37 |
| misp | misp | < 2.5.37 | 2.5.37 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.06.8MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
ghsa5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
ghsa·2026-05-26
CVE-2026-23734 [CRITICAL] CWE-23 XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
### Impact
It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false`.
This can apparently be reproduced on Tomcat instances.
### Patches
This has been patched in 18.0.0-rc-1, 17.10.3, 17.4.9, 16.10.17.
### Workarounds
There is no known workaround, other than upgrading XWiki.
### References
* https://jira.xwiki.org/browse/XCOMMONS-3547
* https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org
GHSA
GHSA-3v62-pvrh-853r: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS
ghsa_unreviewed·2026-05-07
CVE-2026-8080 [MEDIUM] CWE-79 GHSA-3v62-pvrh-853r: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS.
This issue affects MISP before 2.5.37.
A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value.
This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38
GHSA
Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface
ghsa·2026-03-31·CVSS 5.9
CVE-2026-34227 [MEDIUM] CWE-306 Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface
Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface
A single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon, capable of exfiltrating all collected target data (e.g. SSH keys, `ntds.dit`) or destroying the entire compromised infrastructure, entirely through the operator's own browser.
## Description
The Sliver MCP server runs inside the Sliver Client and binds an unauthenticated HTTP and SSE interface to `localhost:8080` by default. The service returns a permissive `Access-Control-Allow-Origin: *` header on all responses.
Because this server is client-side, the attack surface is distributed across every individual operator in the operation. Any arbitrary website can issue cross-origin
GHSA
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks
ghsa·2026-03-18
CVE-2026-33060 [MEDIUM] CWE-918 SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks
## Summary
The `@aborruso/ckan-mcp-server` MCP server provides tools including `ckan_package_search` and `sparql_query` that accept a `base_url` parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services.
## Severity
Attack complexity is HIGH because exploitation requires prompt injection via malicious content (webpage, document) while the victim's AI assistant has this MCP server connected.
## Proof of Concept
Tested inside Docker-in-Docker isolated environment with canary HTTP sidecar.
```json
{"tool": "ckan_package_search", "arguments": {"base_url": "http://canary:8080/ssrf", "query"
GHSA
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
ghsa·2026-03-03
CVE-2026-27012 [CRITICAL] CWE-306 OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
### Summary
A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (`idgruppo`) by directly calling `modules/utenti/actions.php`. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
### Details
`modules/utenti/actions.php` is reachable directly via `http://:8080/modules/utenti/actions.php` and processes privileged information without requiring any authentication or authorization checks on fields like idgruppo. As a result, an attacker can submit a crafted POST request that updates the targets record and assigns it to the adm
No detection rules found.
2026-05-07
Published