Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-54393— MISP Overmind theme stored XSS via unvalidated homepage setting

AI Predicted 6.1 Difficulty: Easy EPSS 0.38% · P30

Affected Version Matrix 1

VendorProductVersion RangeStatus
mispmisp< 2.5.40affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-54393

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
MISP Overmind theme stored XSS via unvalidated homepage setting
Source: NVD (National Vulnerability Database)
Vulnerability Description
A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload. The stored value was later rendered in app/View/News/index.ctp as the href attribute of the “Continue to homepage” link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with. The issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
MISP 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MISP是MISP组织开源的一套开源的软件解决方案。 该产品用于收集、存储、分发、共享网络安全指标,并具有威胁网络安全事件分析和恶意软件分析等功能。 MISP 2.5.40之前版本存在跨站脚本漏洞,该漏洞源于当使用Overmind主题时,setHomePage端点通过setSettingInternal()保存用户控制的路径值,绕过了需要路径以/开头的validate_homepage验证逻辑,导致已认证用户可存储任意主页值。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
mispmisp 0 ~ 2.5.40 -

II. Public POCs for CVE-2026-54393

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-54393

登录查看更多情报信息。

Patches & Fixes for CVE-2026-54393 (1)

Same Patch Batch · misp · 2026-06-12 · 12 CVEs total

CVE-2026-54358MISP organization administrators can target site administrator accounts for password reset
CVE-2026-54362MISP template builder exposes non-visible custom galaxies across organisations
CVE-2026-54359MISP automation endpoints may be exposed to CSRF when Sec-Fetch-Site protection is disable
CVE-2026-54398MISP object edit authorization bypass allows unauthorized sharing group assignment
CVE-2026-54396MISP AuthKey edit endpoint allows authenticated user email enumeration
CVE-2026-54394MISP organisation logo path traversal allows retrieval of arbitrary PNG/SVG files
CVE-2026-54357MISP improper authorization allows organization administrators to modify site administrato
CVE-2026-54395MISP UiBeta event index reflected XSS in advanced filter popup
CVE-2026-54397MISP event editing allows unauthorized assignment to undisclosed sharing groups
CVE-2026-54360MISP sharing group creation mass assignment allows unauthorized takeover of existing shari
CVE-2026-54361MISP mass assignment vulnerabilities allow unauthorized modification of ownership and dele

IV. Related Vulnerabilities

V. Comments for CVE-2026-54393

No comments yet


Leave a comment