Every CVE whose affected-product data names Misp-project Misp, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (121)
CVE-2026-10611 — CVSS 10.0 (critical): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments…
CVE-2020-29006 — CVSS 9.8 (critical): MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.
CVE-2015-5721 — CVSS 9.8 (critical): Malware Information Sharing Platform (MISP) before 2.3.90 allows remote attackers to conduct PHP object injection attacks via crafted…
CVE-2023-48655 — CVSS 9.8 (critical): An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query…
CVE-2023-24028 — CVSS 9.8 (critical): In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
CVE-2022-48329 — CVSS 9.8 (critical): MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php…
CVE-2022-48328 — CVSS 9.8 (critical): app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
CVE-2021-41326 — CVSS 9.8 (critical): In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
CVE-2015-5719 — CVSS 9.8 (critical): app/Controller/TemplatesController.php in Malware Information Sharing Platform (MISP) before 2.3.92 does not properly restrict filenames…
CVE-2020-15411 — CVSS 9.8 (critical): An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.
CVE-2021-39302 — CVSS 9.8 (critical): MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
CVE-2021-35502 — CVSS 9.8 (critical): app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to…
CVE-2018-12649 — CVSS 9.8 (critical): An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a…
CVE-2024-29859 — CVSS 9.8 (critical): In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
CVE-2024-29858 — CVSS 9.8 (critical): In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
CVE-2024-25675 — CVSS 9.8 (critical): An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related…
CVE-2024-25674 — CVSS 9.8 (critical): An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and…
CVE-2023-48659 — CVSS 9.8 (critical): An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing.
CVE-2023-48658 — CVSS 9.8 (critical): An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash…
CVE-2026-39962 — CVSS 9.6 (critical): MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP…
CVE-2021-25323 — CVSS 9.1 (critical): The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password…
CVE-2026-56423 — CVSS 8.8 (high): MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected…
CVE-2022-27245 — CVSS 8.8 (high): An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead…
CVE-2026-56424 — CVSS 8.8 (high): MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where…
CVE-2018-19908 — CVSS 8.8 (high): An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used…
CVE-2026-56425 — CVSS 8.8 (high): The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could…
CVE-2020-8892 — CVSS 8.1 (high): An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of…
CVE-2026-10863 — CVSS 8.1 (high): A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled…
CVE-2017-14337 — CVSS 8.1 (high): When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user…
CVE-2022-27243 — CVSS 7.8 (high): An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.
CVE-2026-9137 — CVSS 7.5 (high): The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation…
CVE-2020-14969 — CVSS 7.5 (high): app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch…
CVE-2020-25766 — CVSS 7.5 (high): An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is not linked…
CVE-2020-28043 — CVSS 7.5 (high): MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.
CVE-2020-8893 — CVSS 7.5 (high): An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.c…
CVE-2021-31780 — CVSS 7.5 (high): In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit…
CVE-2022-29534 — CVSS 7.5 (high): An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an…
CVE-2023-37306 — CVSS 7.5 (high): MISP 2.4.172 mishandles different certificate file extensions in server sync. An attacker can obtain sensitive information because of the…
CVE-2026-56447 — CVSS 7.2 (high): MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently…
CVE-2018-6926 — CVSS 7.2 (high): In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed…
CVE-2026-56446 — CVSS 7.2 (high): MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log…
CVE-2019-12868 — CVSS 7.2 (high): app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used…
CVE-2024-58130 — CVSS 7.2 (high): In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-JSON…
CVE-2026-44380 — CVSS 7.2 (high): MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the…
CVE-2019-12794 — CVSS 6.6 (medium): An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent…
CVE-2026-10860 — CVSS 6.5 (medium): A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE…
CVE-2024-45509 — CVSS 6.5 (medium): In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the…
CVE-2019-16202 — CVSS 6.5 (medium): MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the…
CVE-2020-8894 — CVSS 6.5 (medium): An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and…
CVE-2026-9136 — CVSS 6.5 (medium): A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute…
CVE-2020-28947 — CVSS 6.1 (medium): In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.
CVE-2021-25324 — CVSS 6.1 (medium): MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.
CVE-2021-25325 — CVSS 6.1 (medium): MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain javascript…
CVE-2021-3184 — CVSS 6.1 (medium): MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
CVE-2020-24085 — CVSS 6.1 (medium): A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() function…
CVE-2021-36212 — CVSS 6.1 (medium): app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view.
CVE-2020-13153 — CVSS 6.1 (medium): app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.
CVE-2020-10247 — CVSS 6.1 (medium): MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.
CVE-2022-27246 — CVSS 6.1 (medium): An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
CVE-2020-10246 — CVSS 6.1 (medium): MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.
CVE-2022-29533 — CVSS 6.1 (medium): An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird…
CVE-2022-47928 — CVSS 6.1 (medium): In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.
CVE-2023-24026 — CVSS 6.1 (medium): In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
CVE-2023-24070 — CVSS 6.1 (medium): app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field.
CVE-2023-41098 — CVSS 6.1 (medium): An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id parameter upon…
CVE-2019-14286 — CVSS 6.1 (medium): In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles the event…
CVE-2019-11814 — CVSS 6.1 (medium): An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as…
CVE-2019-11813 — CVSS 6.1 (medium): An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link type…
CVE-2019-11812 — CVSS 6.1 (medium): A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in the…
CVE-2019-10254 — CVSS 6.1 (medium): In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.
CVE-2018-8948 — CVSS 6.1 (medium): In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module.
CVE-2018-11562 — CVSS 6.1 (medium): An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a…
CVE-2026-10856 — CVSS 6.1 (medium): A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being…
CVE-2026-10861 — CVSS 6.1 (medium): An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url…
CVE-2017-15216 — CVSS 6.1 (medium): MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to…
CVE-2017-13671 — CVSS 6.1 (medium): app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance…
CVE-2020-29572 — CVSS 6.1 (medium): app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.
CVE-2020-8890 — CVSS 5.9 (medium): An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting…
CVE-2020-8891 — CVSS 5.9 (medium): An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid…
CVE-2024-58129 — CVSS 5.5 (medium): In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attackers with…
CVE-2024-58128 — CVSS 5.5 (medium): In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers with admin…
CVE-2021-27904 — CVSS 5.5 (medium): An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag…
CVE-2017-16802 — CVSS 5.4 (medium): In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisation name…
CVE-2021-37743 — CVSS 5.4 (medium): app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
CVE-2022-29531 — CVSS 5.4 (medium): An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
CVE-2025-67906 — CVSS 5.4 (medium): In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
CVE-2023-37307 — CVSS 5.4 (medium): In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts.
CVE-2021-37742 — CVSS 5.4 (medium): app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationships.
CVE-2026-8080 — CVSS 5.4 (medium): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This…
CVE-2019-19379 — CVSS 5.3 (medium): In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.
CVE-2026-44379 — CVSS 5.3 (medium): MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation…
CVE-2026-44381 — CVSS 5.3 (medium): MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of…
CVE-2019-9482 — CVSS 5.3 (medium): In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to the…
CVE-2020-11458 — CVSS 4.9 (medium): app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not…
CVE-2024-46918 — CVSS 4.9 (medium): app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of…
CVE-2017-16946 — CVSS 4.9 (medium): The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to…
CVE-2022-29532 — CVSS 4.8 (medium): An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL…
CVE-2022-27244 — CVSS 4.8 (medium): An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This…
CVE-2018-8949 — CVSS 4.3 (medium): An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users…
CVE-2020-15412 — CVSS 4.3 (medium): An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a user to…
CVE-2026-10854 — CVSS 4.3 (medium): A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to…
CVE-2026-10855 — CVSS 4.3 (medium): An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode…
CVE-2026-10864 — CVSS 4.3 (medium): A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were…
CVE-2022-42724 — CVSS 4.3 (medium): app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site…