CVE-2026-9137
published 2026-05-20CVE-2026-9137: The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.36%
28.3th percentile
The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| misp-project | misp | >= 2.5.0 < 2.5.38 | 2.5.38 |
| misp | misp | 2.5.0 – 2.5.37 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
misp up to 2.5.37 CSP Report Endpoint resource consumption
vuldb·2026-05-20·CVSS 5.1
CVE-2026-9137 [MEDIUM] misp up to 2.5.37 CSP Report Endpoint resource consumption
A vulnerability classified as problematic has been found in misp up to 2.5.37. Affected by this issue is some unknown functionality of the component CSP Report Endpoint. The manipulation leads to resource consumption.
This vulnerability is uniquely identified as CVE-2026-9137. The attack is possible to be carried out remotely. No exploit exists.
GHSA
GHSA-gfvj-j222-m85v: The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation
ghsa_unreviewed·2026-05-20
CVE-2026-9137 [MEDIUM] CWE-400 GHSA-gfvj-j222-m85v: The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation
The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-20
Published