Misp-Project Misp vulnerabilities
121 known vulnerabilities affecting misp-project/misp.
Total CVEs
121
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL26HIGH23MEDIUM72
Vulnerabilities
Page 3 of 7
CVE-2022-29534P3HIGHCVSS 7.5fixed in 2.4.1582022-04-20
CVE-2022-29534 [HIGH] CWE-287 CVE-2022-29534: An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.
nvd
CVE-2022-27245P3HIGHCVSS 8.8fixed in 2.4.1562022-03-18
CVE-2022-27245 [HIGH] CWE-918 CVE-2022-27245: An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServe
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.
nvd
CVE-2026-10860P3MEDIUMCVSS 6.5fixed in 2.5.392026-06-04
CVE-2026-10860 [MEDIUM] CWE-863 CVE-2026-10860: A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed w
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callbac
nvd
CVE-2020-8892P3HIGHCVSS 8.1fixed in 2.4.1212020-02-12
CVE-2020-8892 [HIGH] CVE-2020-8892: An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying
An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests.
nvd
CVE-2015-5719P3CRITICALCVSS 9.8≤ 2.3.912016-09-03
CVE-2015-5719 [CRITICAL] CVE-2015-5719: app/Controller/TemplatesController.php in Malware Information Sharing Platform (MISP) before 2.3.92
app/Controller/TemplatesController.php in Malware Information Sharing Platform (MISP) before 2.3.92 does not properly restrict filenames under the tmp/files/ directory, which has unspecified impact and attack vectors.
nvd
CVE-2026-9136P3MEDIUMCVSS 6.5≥ 2.5.0, < 2.5.382026-05-20
CVE-2026-9136 [MEDIUM] CWE-639 CVE-2026-9136: A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action acc
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submi
nvd
CVE-2020-14969P3HIGHCVSS 7.5v2.4.1272020-06-22
CVE-2020-14969 [HIGH] CWE-862 CVE-2020-14969: app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs w
app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute.
nvd
CVE-2021-31780P3HIGHCVSS 7.5v2.4.1412021-04-23
CVE-2021-31780 [HIGH] CWE-212 CVE-2021-31780: In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to in
In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused.
nvd
CVE-2020-8893P3HIGHCVSS 7.5fixed in 2.4.1212020-02-12
CVE-2020-8893 [HIGH] CVE-2020-8893: An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized s
An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp.
nvd
CVE-2020-25766P3HIGHCVSS 7.5fixed in 2.4.1322020-09-18
CVE-2020-25766 [HIGH] CVE-2020-25766: An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST
An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked to the login page.
nvd
CVE-2023-37306P3HIGHCVSS 7.5v2.4.1722023-06-30
CVE-2023-37306 [HIGH] CWE-209 CVE-2023-37306: MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain
MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the nature of the error messages.
nvd
CVE-2019-16202P3MEDIUMCVSS 6.5fixed in 2.4.1152019-09-10
CVE-2019-16202 [MEDIUM] CWE-269 CVE-2019-16202: MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, es
MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP (<2.4.115)" message.
nvd
CVE-2024-45509P3MEDIUMCVSS 6.5fixed in 2.4.1972024-09-01
CVE-2024-45509 [MEDIUM] CWE-863 CVE-2024-45509: In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to
In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.
nvd
CVE-2020-15711P4HIGHCVSS 8.8fixed in 2.4.1292020-07-14
CVE-2020-15711 [HIGH] CWE-352 CVE-2020-15711: In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.
nvd
CVE-2022-27243P4HIGHCVSS 7.8fixed in 2.4.1562022-03-18
CVE-2022-27243 [HIGH] CVE-2022-27243: An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.
nvd
CVE-2019-12794P4MEDIUMCVSS 6.6v2.4.1082019-06-11
CVE-2019-12794 [MEDIUM] CWE-269 CVE-2019-12794: An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins
An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin coul
nvd
CVE-2020-8894P4MEDIUMCVSS 6.5fixed in 2.4.1212020-02-12
CVE-2020-8894 [MEDIUM] CVE-2020-8894: An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/C
An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php.
nvd
CVE-2026-10861P4MEDIUMCVSS 6.1fixed in 2.5.392026-06-04
CVE-2026-10861 [MEDIUM] CWE-601 CVE-2026-10861: An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value
An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path.
An unauthenticated remote attacker could craft a link that causes a victim to visit
nvd
CVE-2026-10856P4MEDIUMCVSS 6.1fixed in 2.5.392026-06-04
CVE-2026-10856 [MEDIUM] CWE-601 CVE-2026-10856: A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to
A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\
nvd
CVE-2026-44379P4MEDIUMCVSS 5.3fixed in 2.5.372026-05-13
CVE-2026-44379 [MEDIUM] CWE-20 CVE-2026-44379: MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections d
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collec
nvd