cbcvebase.

Misp-Project Misp vulnerabilities

121 known vulnerabilities affecting misp-project/misp.

Total CVEs
121
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL26HIGH23MEDIUM72

Vulnerabilities

Page 1 of 7
CVE-2018-19908P2HIGHCVSS 8.8PoC≥ 2.4.90, < 2.4.992018-12-06
CVE-2018-19908 [HIGH] CWE-78 CVE-2018-19908: An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
nvd
CVE-2026-10611P2CRITICALCVSS 10.0fixed in 2.5.392026-06-02
CVE-2026-10611 [CRITICAL] CWE-287 CVE-2026-10611: An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application befor
nvd
CVE-2026-44381P3MEDIUMCVSS 5.3PoCfixed in 2.5.372026-05-13
CVE-2026-44381 [MEDIUM] CWE-89 CVE-2026-44381: MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vu MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering c
nvd
CVE-2026-56424P3HIGHCVSS 8.8fixed in 2.5.422026-06-22
CVE-2026-56424 [HIGH] CWE-639 CVE-2026-56424: MISP core contained multiple broken access-control flaws where authorization checks were performed a MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate
nvd
CVE-2026-56423P3HIGHCVSS 8.8fixed in 2.5.422026-06-22
CVE-2026-56423 [HIGH] CWE-862 CVE-2026-56423: MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sh MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For Event Reports, EventReportsController::deleteSelection relied on the global per
nvd
CVE-2026-39962P3CRITICALCVSS 9.6fixed in 2.5.362026-04-09
CVE-2026-39962 [CRITICAL] CWE-90 CVE-2026-39962: MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutraliz MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in c
nvd
CVE-2026-56425P3HIGHCVSS 8.8fixed in 2.5.422026-06-22
CVE-2026-56425 [HIGH] CWE-384 CVE-2026-56425: The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-
nvd
CVE-2026-10863P3HIGHCVSS 8.1fixed in 2.5.392026-06-04
CVE-2026-10863 [HIGH] CWE-20 CVE-2026-10863: A security issue was fixed in the correlations over-correlation endpoint where the order query param A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this cou
nvd
CVE-2024-29859P3CRITICALCVSS 9.8fixed in 2.4.1872024-03-21
CVE-2024-29859 [CRITICAL] CWE-434 CVE-2024-29859: In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly che In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
nvd
CVE-2024-25674P3CRITICALCVSS 9.8fixed in 2.4.1842024-02-09
CVE-2024-25674 [CRITICAL] CWE-434 CVE-2024-25674: An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a la An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
nvd
CVE-2021-41326P3CRITICALCVSS 9.8fixed in 2.4.1482021-09-17
CVE-2021-41326 [CRITICAL] CVE-2021-41326: In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
nvd
CVE-2022-29528P3CRITICALCVSS 9.8fixed in 2.4.1582022-04-20
CVE-2022-29528 [CRITICAL] CWE-502 CVE-2022-29528: An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur. An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
nvd
CVE-2023-24028P3CRITICALCVSS 9.8v2.4.1672023-01-20
CVE-2023-24028 [CRITICAL] CWE-284 CVE-2023-24028: In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the deca In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
nvd
CVE-2023-37307P4MEDIUMCVSS 5.4PoCfixed in 2.4.1722023-06-30
CVE-2023-37307 [MEDIUM] CWE-79 CVE-2023-37307: In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclu In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts.
nvd
CVE-2026-44380P3HIGHCVSS 7.2fixed in 2.5.372026-05-13
CVE-2026-44380 [HIGH] CWE-863 CVE-2026-44380: MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators
nvd
CVE-2015-5721P3CRITICALCVSS 9.8≤ 2.3.892016-09-03
CVE-2015-5721 [CRITICAL] CWE-94 CVE-2015-5721: Malware Information Sharing Platform (MISP) before 2.3.90 allows remote attackers to conduct PHP obj Malware Information Sharing Platform (MISP) before 2.3.90 allows remote attackers to conduct PHP object injection attacks via crafted serialized data, related to TemplatesController.php and populate_event_from_template_attributes.ctp.
nvd
CVE-2022-48328P3CRITICALCVSS 9.8fixed in 2.4.1672023-02-20
CVE-2022-48328 [CRITICAL] CWE-755 CVE-2022-48328: app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_para app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
nvd
CVE-2024-29858P3CRITICALCVSS 9.8fixed in 2.4.1872024-03-21
CVE-2024-29858 [CRITICAL] CWE-616 CVE-2024-29858: In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
nvd
CVE-2026-56446P3HIGHCVSS 7.2fixed in 2.5.422026-06-22
CVE-2026-56446 [HIGH] CWE-94 CVE-2026-56446: MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. A
nvd
CVE-2026-56447P3HIGHCVSS 7.2fixed in 2.5.422026-06-22
CVE-2026-56447 [HIGH] CWE-829 CVE-2026-56447: MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbit MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in a
nvd
Misp-Project Misp vulnerabilities | cvebase