Path Traversal Vulnerability in MISP Affects Organisation Logo Retrieval
CVE-2026-54394

5.3MEDIUM

Key Information:

Vendor

Misp

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-54394?

MISP has a path traversal vulnerability in the OrganisationsController::getOrgLogo function, which allows an attacker to manipulate organisation-controlled fields such as id, name, and uuid to access arbitrary files. This oversight occurs because the system does not properly validate that the resolved file paths remain within the designated APP/files/img/orgs/ directory. By exploiting this flaw, an attacker could retrieve unauthorized .png or .svg files from outside this directory, resulting in unapproved data exposure. The vulnerability has been addressed by implementing realpath() to ensure that all candidate paths verify correctly against the intended directory before serving any file.

Affected Version(s)

misp 0 < 2.5.40

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jeroen Pinoy
Andras Iklody
.