MISP Overmind theme stored XSS via unvalidated homepage setting
CVE-2026-54393

5.1MEDIUM

Key Information:

Vendor: Misp
Status: Misp
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-54393?

A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload.

The stored value was later rendered in app/View/News/index.ctp as the href attribute of the “Continue to homepage” link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with.

The issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view.

Affected Version(s)

misp 0 < 2.5.40

References

https://github.com/MISP/MISP/commit/d4733ca5d2fcceb12abc7...

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

Jeroen Pinoy

Andras Iklody

CVE-2026-54393 Data

JSON