Stored Cross-Site Scripting Vulnerability in MISP Overmind Theme
CVE-2026-54393
5.1MEDIUM
What is CVE-2026-54393?
A vulnerability exists in MISP when utilizing the Overmind theme, where the setHomePage endpoint allows for stored cross-site scripting (XSS). An attacker, leveraging the failure of the setSettingInternal() function to enforce proper input validation, can manipulate user-controlled values to store malicious scripts. This poses a risk as these scripts are executed in the browser context of the affected MISP instance when the homepage link is generated in the news view. The issue has been addressed by ensuring that homepage settings are validated and escaped properly before rendering.
Affected Version(s)
misp 0 < 2.5.40
