Reflected Cross-Site Scripting Vulnerability in MISP by The MISP Project
CVE-2026-54395

5.3MEDIUM

Key Information:

Vendor

Misp

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-54395?

MISP has a reflected cross-site scripting vulnerability in the UiBeta event index view. This vulnerability arises from improper handling of the urlparams value, which can be exploited by an attacker to execute arbitrary JavaScript in a victim's browser. Specifically, when a crafted malicious URL is accessed, it can break out of a single-quoted JavaScript string due to improper HTML escaping. This vulnerability can be mitigated by using json_encode() for encoding JavaScript string literals before applying HTML escaping.

Affected Version(s)

misp 0 < 2.5.40

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jeroen Pinoy
Andras Iklody
.