Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-10861— MISP post-login open redirect via pre_login_requested_url

AI Predicted 5.0 Difficulty: Trivial EPSS 0.22% · P13

Affected Version Matrix 1

VendorProductVersion RangeStatus
mispmisp≤ 2.5.38affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-10861

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
MISP post-login open redirect via pre_login_requested_url
Source: NVD (National Vulnerability Database)
Vulnerability Description
An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
Source: NVD (National Vulnerability Database)
Vulnerability Title
MISP 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MISP是MISP开源的一套开源的软件解决方案。该产品用于收集、存储、分发、共享网络安全指标,并具有威胁网络安全事件分析和恶意软件分析等功能。 MISP存在安全漏洞,该漏洞源于UsersController::routeafterlogin()中存储的pre_login_requested_url会话键值被用作登录后重定向目标,且未充分验证其为本地应用路径,可能导致未经验证的远程攻击者构造链接,诱使受害者访问受信任的MISP实例并在成功认证后重定向至攻击者控制的外部URL。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
mispmisp 0 ~ 2.5.38 -

II. Public POCs for CVE-2026-10861

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-10861

登录查看更多情报信息。

Patches & Fixes for CVE-2026-10861 (1)

Same Patch Batch · misp · 2026-06-04 · 8 CVEs total

CVE-2026-10860MISP CRUDComponent delete validation bypass via operator precedence error
CVE-2026-10854Unauthorized exposure of private galaxies in MISP event template creation
CVE-2026-10856Open redirect in MISP dashboard button widget URL handling
CVE-2026-10863MISP User-controlled order parameter in correlations over-correlation endpoint
CVE-2026-10864MISP Dashboard widget field selection may expose restricted user and organisation data
CVE-2026-10868MISP user edit endpoint mass assignment vulnerability allows unauthorized user account mod
CVE-2026-10855MISP Event template importer authorization bypass

IV. Related Vulnerabilities

Same product: misp
Same vendor: misp
Same weakness: CWE-601

V. Comments for CVE-2026-10861

No comments yet

Leave a comment