[{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.42", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Sami Mokaddem"}, {"lang": "en", "type": "finder", "value": "Berk Polat"}, {"lang": "en", "type": "remediation reviewer", "value": "Claude Opus 4.8 (1M context) aka Claudy"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>MISP\u2019s <code>importModule()</code> path used <code>getEnabledModule()</code> to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by <code>getEnabledModules()</code>. As a result, an authenticated user from an organisation that was not allowed to use a module restricted via <code>Plugin.Import_&lt;module&gt;_restrict</code> could still invoke that import module directly if they knew its name.</p>\n<p>This could allow unauthorised access to restricted import-module functionality and, depending on the module and the user\u2019s event permissions, may allow unauthorised import or modification of event data through a module that should have been unavailable to the user\u2019s organisation.</p><br>"}], "value": "MISP\u2019s importModule() path used getEnabledModule() to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by getEnabledModules(). As a result, an authenticated user from an organisation that was not allowed to use a module restricted via Plugin.Import_<module>_restrict could still invoke that import module directly if they knew its name.\n\n\nThis could allow unauthorised access to restricted import-module functionality and, depending on the module and the user\u2019s event permissions, may allow unauthorised import or modification of event data through a module that should have been unavailable to the user\u2019s organisation."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:L", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/0ed79b4d3177f4b9e44040962161a1a436d2587d"}], "source": {"discovery": "UNKNOWN"}, "title": "importModule function in MISP ignores per-organisation import module restrictions", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20112"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20112", "datePublished": "2026-07-08T13:36:15.651888Z", "dateUpdated": "2026-07-08T13:36:48.095956Z", "cveId": "CVE-2026-60125", "dateReserved": "2026-07-08T13:36:48.024Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.42", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Sami Mokaddem"}, {"lang": "en", "type": "finder", "value": "Berk Polat"}, {"lang": "en", "type": "remediation reviewer", "value": "Claude Opus 4.8 (1M context) aka Claudy"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>An authorization bypass in MISP\u2019s <code>EventsController::importModule()</code> allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the <code>misp_standard</code> format, the write path did not verify event modification rights before saving the module output. This could allow a view-only user to inject or alter event data, impacting the integrity of MISP event content. The issue was fixed by enforcing the same modification-rights check used by related module result handling paths before processing <code>misp_standard</code> imports.</div><div><br></div>"}], "value": "An authorization bypass in MISP\u2019s EventsController::importModule() allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the misp_standard format, the write path did not verify event modification rights before saving the module output. This could allow a view-only user to inject or alter event data, impacting the integrity of MISP event content. The issue was fixed by enforcing the same modification-rights check used by related module result handling paths before processing misp_standard imports."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/d0725fc34fda256cc57e5a8f0543cd541033e008"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP importModule missing authorization allows read-only users to modify events via misp_standard imports", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20004"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20004", "datePublished": "2026-07-08T13:29:57.644210Z", "dateUpdated": "2026-07-08T13:30:08.436075Z", "cveId": "CVE-2026-60124", "dateReserved": "2026-07-08T13:30:08.370Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux", "MacOS", "x86", "ARM", "64 bit", "32 bit"], "product": "NoMachine", "vendor": "NoMachine", "versions": [{"lessThan": "9.5.7", "status": "affected", "version": "7.0.0", "versionType": "semver"}, {"lessThan": "8.23.2", "status": "affected", "version": "7.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Vonmetz Tobias"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Nomachine allows Argument Injection.<p>This issue affects Nomachine: before 9.5.7, before 8.23.2.</p><p><br></p><p><br></p>"}], "value": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before 9.5.7, before 8.23.2."}], "impacts": [{"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6 Argument Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 7.3, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["release-notes"], "url": "https://kb.nomachine.com/SU05X00274"}, {"tags": ["release-notes"], "url": "https://kb.nomachine.com/SU05X00275"}], "source": {"discovery": "UNKNOWN"}, "title": "Potential local privileges escalation through argument injection in the nxchmod.sh script", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20015"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "cveId": "CVE-2026-53694", "datePublished": "2026-06-10T14:56:00.000Z", "dateReserved": "2026-06-10T14:57:00.000Z", "dateUpdated": "2026-07-07T15:04:35.841800Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20015"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "ail-framework", "repo": "https://github.com/ail-project/ail-framework0", "vendor": "ail-project", "versions": [{"lessThanOrEqual": "v6.9.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "remediation developer", "value": "Aurelien Thirion"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>AIL Framework contains a path traversal vulnerability in its PDF object handling. Prior to commit <code>14c618fce4d1df02358717c48ea903706abecdf2</code>, the <code>PDF.get_filepath()</code> function constructed a file path by joining the configured PDF storage directory with a path derived from a PDF object identifier, without verifying that the resolved path remained within the intended <code>PDF_FOLDER</code> directory.</p><p>An authenticated attacker able to invoke PDF object operations with a crafted identifier could use relative traversal sequences or absolute path components to cause AIL Framework to open files located outside the PDF storage directory. This could allow disclosure of files readable by the AIL process, including application configuration, credentials, or other sensitive local data. This vulnerability is potential due to additional errors before being able to be executed.</p><p>The fix canonicalises the resulting path with <code>os.path.realpath()</code> and rejects paths whose common directory is outside the configured PDF directory.</p><h2></h2><br>"}], "value": "AIL Framework contains a path traversal vulnerability in its PDF object handling. Prior to commit 14c618fce4d1df02358717c48ea903706abecdf2, the PDF.get_filepath() function constructed a file path by joining the configured PDF storage directory with a path derived from a PDF object identifier, without verifying that the resolved path remained within the intended PDF_FOLDER directory.\n\nAn authenticated attacker able to invoke PDF object operations with a crafted identifier could use relative traversal sequences or absolute path components to cause AIL Framework to open files located outside the PDF storage directory. This could allow disclosure of files readable by the AIL process, including application configuration, credentials, or other sensitive local data. This vulnerability is potential due to additional errors before being able to be executed.\n\nThe fix canonicalises the resulting path with os.path.realpath() and rejects paths whose common directory is outside the configured PDF directory."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The exploitation is not possible due to potential bug before being able to reach the vulnerable code."}], "value": "The exploitation is not possible due to potential bug before being able to reach the vulnerable code."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "CLEAR", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/ail-project/ail-framework/commit/14c618fce4d1df02358717c48ea903706abecdf2.patch"}], "source": {"discovery": "UNKNOWN"}, "title": "Authenticated Path Traversal in AIL Framework PDF Object Handling Enables Potential Arbitrary File Read", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20103"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20103", "datePublished": "2026-07-05T17:52:03.087783Z", "dateUpdated": "2026-07-05T17:52:20.481142Z", "cveId": "CVE-2026-59510", "dateReserved": "2026-07-05T17:52:20.396Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "cve-search", "repo": "https://github.com/cve-search/cve-search/", "vendor": "cve-search", "versions": [{"lessThanOrEqual": "v6.0.0", "status": "affected", "version": "v4.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "George Chen"}, {"lang": "en", "type": "remediation developer", "value": "Esa Jokinen"}, {"lang": "en", "type": "remediation reviewer", "value": "P-T-I"}, {"lang": "en", "type": "coordinator", "value": "Alexandre Dulaunoy"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An unauthenticated improper input validation vulnerability in the <code>POST /fetch_cve_data</code> endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the <code>mgmt_users</code> collection, enabling offline password cracking and potential administrative account compromise."}], "value": "An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "PoC included in the disclosure"}], "value": "PoC included in the disclosure"}], "impacts": [{"capecId": "CAPEC-676", "descriptions": [{"lang": "en", "value": "CAPEC-676 NoSQL Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.2, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/cve-search/cve-search/pull/1218"}, {"tags": ["exploit", "technical-description"], "url": "https://github.com/cve-search/cve-search/issues/1217"}], "source": {"discovery": "UNKNOWN"}, "title": "Unauthenticated arbitrary MongoDB collection read in cve-search", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20055"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "cveId": "CVE-2026-59509", "datePublished": "2026-07-05T12:01:00.000Z", "dateReserved": "2026-07-05T12:01:00.000Z", "dateUpdated": "2026-07-05T12:43:45.547506Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20055"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.41", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}, {"lang": "en", "type": "analyst", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "tool", "value": "Claude (the international export version)"}, {"lang": "en", "type": "analyst", "value": "Jakub Chyli\u0144ski"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (<code>id</code>) and ownership/scope foreign keys (<code>event_id</code>, <code>org_id</code>, <code>user_id</code>, <code>sharing_group_id</code>, <code>galaxy_cluster_uuid</code>, <code>organisation_uuid</code>, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.</p><p>In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user\u2019s context.</p><p>The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central <code>CRUDComponent::edit()</code>&nbsp;primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub\u2019s patch for <code>7acf8220c</code>&nbsp;describes this central issue as <code>CRUDComponent::edit()</code>&nbsp;copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP <code>save()</code>&nbsp;to update an arbitrary row unless the loaded ID is re-pinned. </p><br>"}], "value": "Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.\n\nIn affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user\u2019s context.\n\nThe fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit()\u00a0primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub\u2019s patch for 7acf8220c\u00a0describes this central issue as CRUDComponent::edit()\u00a0copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save()\u00a0to update an arbitrary row unless the loaded ID is re-pinned."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/7acf8220cafac58bcfb362da37aca512fe4bb396"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/bc182d55dde5686a36ca2eb88fe6c2adabb9fad9"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/58f637aaab4d133e72f1454ebb963191d96d3b78"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/05aad418c57bb78e6b58a843d70d45de8f50db45"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/63aebc27a878233b9475c742985aaef909bc755b"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/00b2e3dae56fa24ea750eb525cc4709b7e5bee85"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/634f1f87c295193486c08c2c7ba1fee8a7339baa"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/ab9619dfa6cb5210fd20fb3b0b57006e4fc93916"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/8311427c2edd72a8341f0a65e1f11073d7ad9191"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/c80a3533b3d787f45f5185a4621cc0f05b0cf2e5"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/025f711506850aadb69cde1b57e5e5d57628c87f"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/3ff6bd9cfdab5d41b4667ea7298d88ffd6f3fcb8"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/84bafe69f5d0ab7f811371c0801a613f271ebc0b"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/2cc26f38f3e85c594957899f09043d5193146607"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/57433015815e59db5a1f11536f90920952cf3fcd"}, {"url": "https://github.com/MISP/MISP/commit/9341690e9b6dde7f0605edea5533e05ba7362e35"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20087"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "cveId": "CVE-2026-56422", "datePublished": "2026-06-22T11:38:00.000Z", "dateReserved": "2026-06-22T11:42:00.000Z", "dateUpdated": "2026-06-23T05:58:42.768204Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20087"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/MISP/MISP/", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.41", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub Chyli\u0144ski"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by <code>JsonLogTool</code>. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process.</p><p>The fix restricts log destinations to existing directories beneath <code>APP/tmp/logs</code> or <code>/var/log</code>, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to <code>.log</code> or <code>.ndjson</code> extensions while disallowing executable extension segments.</p>"}], "value": "MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process.\n\nThe fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0"}], "source": {"discovery": "EXTERNAL"}, "title": "Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path in MISP", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20134"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "cveId": "CVE-2026-56446", "datePublished": "2026-06-22T12:31:00.000Z", "dateReserved": "2026-06-22T12:31:00.000Z", "dateUpdated": "2026-06-23T05:57:05.092862Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20134"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ail framework", "repo": "https://github.com/ail-project/ail-framework", "vendor": "ail project", "versions": [{"lessThanOrEqual": "6.8.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Aurelien Thirion"}, {"lang": "en", "type": "finder", "value": "Stephen O"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access.</p>\n<p>The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.</p><br>"}], "value": "AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access.\n\n\nThe patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts."}], "impacts": [{"capecId": "CAPEC-112", "descriptions": [{"lang": "en", "value": "CAPEC-112 Brute Force"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/ail-project/ail-framework/commit/d3a394fe68fd5aeee86f3a3c91d4a0350f91e974"}], "source": {"discovery": "UNKNOWN"}, "title": "AIL Framework - Missing Rate Limiting Enables Brute-Force Attacks Against Two-Factor Authentication Codes", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20131"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20131", "datePublished": "2026-06-22T13:02:18.669480Z", "dateUpdated": "2026-06-22T13:02:27.300718Z", "cveId": "CVE-2026-56450", "dateReserved": "2026-06-22T13:02:27.234Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ail framework", "repo": "https://github.com/ail-project/ail-framework", "vendor": "ail project", "versions": [{"lessThanOrEqual": "6.8.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Aurelien Thirion"}, {"lang": "en", "type": "finder", "value": "Stephen O"}, {"lang": "en", "type": "finder", "value": "Tom\u00e1s Illuminati"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A path traversal vulnerability exists in AIL Framework before the release containing commit <code>0041456af25da0cdea1c1c4624e46baff2731d8f</code>. An authenticated AIL user can supply crafted object identifiers through the investigation workflow to cause file paths to resolve outside the intended image, favicon, or screenshot storage directories. This may allow the attacker to download and read arbitrary files that are accessible to the AIL process.</p><p>The issue occurs because user-controlled path components were joined with application storage paths without verifying that the resolved path remained within the expected directory. The affected download functionality could then include the contents of such files in a generated archive.</p><br>"}], "value": "A path traversal vulnerability exists in AIL Framework before the release containing commit 0041456af25da0cdea1c1c4624e46baff2731d8f. An authenticated AIL user can supply crafted object identifiers through the investigation workflow to cause file paths to resolve outside the intended image, favicon, or screenshot storage directories. This may allow the attacker to download and read arbitrary files that are accessible to the AIL process.\n\nThe issue occurs because user-controlled path components were joined with application storage paths without verifying that the resolved path remained within the expected directory. The affected download functionality could then include the contents of such files in a generated archive."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "PRESENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.3, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:P", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/ail-project/ail-framework/commit/0041456af25da0cdea1c1c4624e46baff2731d8f"}], "source": {"discovery": "UNKNOWN"}, "title": "Authenticated Path Traversal in AIL Framework Investigation Downloads Allows Arbitrary File Read", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20088"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20088", "datePublished": "2026-06-22T12:53:47.032329Z", "dateUpdated": "2026-06-22T12:54:39.580842Z", "cveId": "CVE-2026-56448", "dateReserved": "2026-06-22T12:54:39.454Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/MISP/MISP/", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.41", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}, {"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "finder", "value": "Jakub Chyli\u0144ski"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>MISP allowed an authenticated site administrator to set the <code>Kafka_rdkafka_config</code> setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as <code>plugin.library.paths</code> to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file.</p><p>The issue is fixed by restricting the setting to absolute <code>.ini</code> files located only in approved configuration directories outside the webroot and MISP upload targets.</p><br>"}], "value": "MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file.\n\nThe issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets."}], "impacts": [{"capecId": "CAPEC-159", "descriptions": [{"lang": "en", "value": "CAPEC-159 Redirect Access to Libraries"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0"}], "source": {"discovery": "EXTERNAL"}, "title": "MISP remote code execution via arbitrary rdkafka configuration path", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20105"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20105", "datePublished": "2026-06-22T12:39:13.015122Z", "dateUpdated": "2026-06-22T12:39:24.277077Z", "cveId": "CVE-2026-56447", "dateReserved": "2026-06-22T12:39:24.204Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.41", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Cormac Doherty"}, {"lang": "en", "type": "remediation developer", "value": "Cormac Doherty"}, {"lang": "en", "type": "remediation verifier", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol.</p>\n<p>The application used the PHP session identifier (<code>session_id()</code>) as the OAuth <code>state</code> parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer headers, reverse proxies, access logs, or third-party infrastructure involved in the authentication flow. If obtained by an attacker, the leaked session identifier could potentially be used for session hijacking.</p>\n<p>Additionally, the implementation did not regenerate the session identifier after successful authentication, leaving authenticated sessions susceptible to session fixation attacks where an attacker forces a victim to use a known session identifier before login and later reuses that identifier after authentication.</p>\n<p>The OAuth <code>state</code> value was also not implemented as a dedicated, single-use nonce. This weakened CSRF protections and increased the risk of replay attacks against the OAuth callback process.</p>\n<p>The authentication flow further failed to enforce HTTPS for the configured OAuth redirect URI. If a non-HTTPS redirect URI was used, OAuth authorization codes and access tokens could traverse the network in plaintext, exposing sensitive credentials to network attackers.</p>\n<p>Finally, OAuth error responses containing attacker-controlled GET parameters were logged verbatim. An attacker could inject control characters or crafted log content, leading to log forging, log injection, or corruption of audit records.</p>\n<p>The fix introduces:</p>\n<ul>\n<li>\nA dedicated cryptographically random OAuth <code>state</code> value.\n</li>\n<li>\nSingle-use state validation and invalidation.\n</li>\n<li>\nConstant-time state comparison using <code>hash_equals()</code>.\n</li>\n<li>\nSession identifier rotation after successful authentication.\n</li>\n<li>\nEnforcement of HTTPS-only redirect URIs.\n</li>\n<li>\nSanitized and length-limited logging of OAuth error parameters.</li></ul><p><strong>AAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration)</strong></p>\n"}], "value": "The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol.\n\n\nThe application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer headers, reverse proxies, access logs, or third-party infrastructure involved in the authentication flow. If obtained by an attacker, the leaked session identifier could potentially be used for session hijacking.\n\n\nAdditionally, the implementation did not regenerate the session identifier after successful authentication, leaving authenticated sessions susceptible to session fixation attacks where an attacker forces a victim to use a known session identifier before login and later reuses that identifier after authentication.\n\n\nThe OAuth state value was also not implemented as a dedicated, single-use nonce. This weakened CSRF protections and increased the risk of replay attacks against the OAuth callback process.\n\n\nThe authentication flow further failed to enforce HTTPS for the configured OAuth redirect URI. If a non-HTTPS redirect URI was used, OAuth authorization codes and access tokens could traverse the network in plaintext, exposing sensitive credentials to network attackers.\n\n\nFinally, OAuth error responses containing attacker-controlled GET parameters were logged verbatim. An attacker could inject control characters or crafted log content, leading to log forging, log injection, or corruption of audit records.\n\n\nThe fix introduces:\n\n\n\n  *  \nA dedicated cryptographically random OAuth state value.\n\n\n  *  \nSingle-use state validation and invalidation.\n\n\n  *  \nConstant-time state comparison using hash_equals().\n\n\n  *  \nSession identifier rotation after successful authentication.\n\n\n  *  \nEnforcement of HTTPS-only redirect URIs.\n\n\n  *  \nSanitized and length-limited logging of OAuth error parameters.\n\n\nAAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration)"}], "impacts": [{"capecId": "CAPEC-61", "descriptions": [{"lang": "en", "value": "CAPEC-61 Session Fixation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/146bc40ad6e10a44f01e8ed62d5f7bc9c06cc4fa"}], "source": {"discovery": "EXTERNAL"}, "title": "MISP AAD authentication plugin - Improper OAuth State Handling, Missing Session Rotation, Insecure Redirect URI Validation, and Log Injection", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20091"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "cveId": "CVE-2026-56425", "datePublished": "2026-06-22T12:21:00.000Z", "dateReserved": "2026-06-22T12:22:00.000Z", "dateUpdated": "2026-06-22T12:24:50.403439Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20091"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.41", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}, {"lang": "en", "type": "analyst", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "tool", "value": "Claude (the international export version)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user\u2019s organization.</p><br><p>The affected paths included:</p><ul><li><p><strong>Event Reports tag removal</strong>: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report</p></li></ul><ul><li><strong>Collection Elements bulk deletion</strong><span style=\"background-color: rgb(255, 255, 255);\">: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element\u2019s actual parent collection, enabling deletion of elements from collections the user did not own.</span></li><li><span style=\"background-color: rgb(255, 255, 255);\"><strong>Analyst Data capture/update</strong><span style=\"background-color: rgb(255, 255, 255);\">: nested analyst data updates could overwrite an existing record without applying the normal </span><code>canEditAnalystData</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;ownership check, enabling cross-organization overwrite of analyst data records.</span></span></li><li><span style=\"background-color: rgb(255, 255, 255);\"><strong>Template Elements editing</strong><span style=\"background-color: rgb(255, 255, 255);\">: editing authorized against a template whose ID matched the template-element ID, rather than the element\u2019s actual parent template, enabling unauthorized edits to another organization\u2019s template elements.</span></span></li><li><span style=\"background-color: rgb(255, 255, 255);\"><strong>Decaying Model editing and mappings</strong><span style=\"background-color: rgb(255, 255, 255);\">: write paths loaded models using view-scope access but did not verify edit ownership, enabling users to edit or remap visible models owned by another organization.&nbsp;</span></span></li></ul><div><br></div><div><br></div><span style=\"background-color: rgb(255, 255, 255);\">Successful exploitation could allow an authenticated user with subsystem-specific permissions to perform unauthorized cross-organization modifications or deletions of MISP data, resulting in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows.</span><br><span style=\"background-color: rgb(255, 255, 255);\"><br></span>"}], "value": "MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user\u2019s organization.\n\n\nThe affected paths included:\n\n  *  Event Reports tag removal: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report\n\n\n\n\n  *  Collection Elements bulk deletion: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element\u2019s actual parent collection, enabling deletion of elements from collections the user did not own.\n  *  Analyst Data capture/update: nested analyst data updates could overwrite an existing record without applying the normal canEditAnalystData\u00a0ownership check, enabling cross-organization overwrite of analyst data records.\n  *  Template Elements editing: editing authorized against a template whose ID matched the template-element ID, rather than the element\u2019s actual parent template, enabling unauthorized edits to another organization\u2019s template elements.\n  *  Decaying Model editing and mappings: write paths loaded models using view-scope access but did not verify edit ownership, enabling users to edit or remap visible models owned by another organization.\u00a0\n\n\n\n\n\n\n\n\nSuccessful exploitation could allow an authenticated user with subsystem-specific permissions to perform unauthorized cross-organization modifications or deletions of MISP data, resulting in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/24d7e91339a3ef043652dd5799c36e5065b2bb4a"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/57ad774d21bd1863d060a9e6e73ae54eb96784ce"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/3aecc04d5816189412b589cf590c6dbe9a8db5c0"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/ba2f51fe7440ba2c6043ccde858cac1e25f96931"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/744005cefdc3b943bd29669c3b34cc66a5fc2154"}], "source": {"discovery": "UNKNOWN"}, "title": "Broken access control in MISP core allows cross-organization unauthorized modification or deletion of analyst data, event reports, collections, templates, and decaying models", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20099"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "datePublished": "2026-06-22T12:13:00.000Z", "dateUpdated": "2026-06-22T12:17:10.271177Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20099", "cveId": "CVE-2026-56424", "dateReserved": "2026-06-22T12:17:10.186Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/MISP/misp", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.41", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}, {"lang": "en", "type": "analyst", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "tool", "value": "Claude (the international export version)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>MISP Core contained broken access-control checks in the bulk deletion flows for <strong>Event Reports</strong>&nbsp;and <strong>Sharing Groups</strong>. The affected <code>deleteSelection</code>&nbsp;handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object.</p><p>For <strong>Event Reports</strong>, <code>EventReportsController::deleteSelection</code>&nbsp;relied on the global <code>perm_add</code>&nbsp;capability rather than a per-report ownership/authorization check. As a result, a contributor-level user could submit report IDs or UUIDs for reports belonging to other organisations and hard-delete them instance-wide. The fix changed the callback to call <code>EventReport::fetchIfAuthorized($user, $itemId, 'delete')</code>&nbsp;for each selected report before deletion.</p><div><br></div><div><span style=\"background-color: rgb(255, 255, 255);\">For </span><strong>Sharing Groups</strong><span style=\"background-color: rgb(255, 255, 255);\">, </span><code>SharingGroupsController::deleteSelection</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;relied on the global </span><code>perm_sharing_group</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;capability rather than verifying ownership of each selected sharing group. This allowed a sharing-group-capable user to hard-delete sharing groups owned by other organisations, bypassing the per-object ownership gate used by the single-object delete action. The fix changed the callback to call </span><code>SharingGroup::checkIfOwner($user, $itemId)</code><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;for each selected sharing group.</span></div><div><br></div><div><p>An authenticated attacker with the relevant broad role permission could abuse the affected bulk deletion endpoints to delete objects outside their organisation\u2019s authorization scope, causing loss of event-report content or sharing-group configuration across the instance.</p><br><br></div>"}], "value": "MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports\u00a0and Sharing Groups. The affected deleteSelection\u00a0handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object.\n\nFor Event Reports, EventReportsController::deleteSelection\u00a0relied on the global perm_add\u00a0capability rather than a per-report ownership/authorization check. As a result, a contributor-level user could submit report IDs or UUIDs for reports belonging to other organisations and hard-delete them instance-wide. The fix changed the callback to call EventReport::fetchIfAuthorized($user, $itemId, 'delete')\u00a0for each selected report before deletion.\n\n\n\n\nFor Sharing Groups, SharingGroupsController::deleteSelection\u00a0relied on the global perm_sharing_group\u00a0capability rather than verifying ownership of each selected sharing group. This allowed a sharing-group-capable user to hard-delete sharing groups owned by other organisations, bypassing the per-object ownership gate used by the single-object delete action. The fix changed the callback to call SharingGroup::checkIfOwner($user, $itemId)\u00a0for each selected sharing group.\n\n\n\n\nAn authenticated attacker with the relevant broad role permission could abuse the affected bulk deletion endpoints to delete objects outside their organisation\u2019s authorization scope, causing loss of event-report content or sharing-group configuration across the instance."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/ada02fa6d7558732aa4712fd5e9451cd8c5b7a64"}, {"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/f99b3f16ef22c7acf10e17036c777759cf031c15"}], "source": {"discovery": "INTERNAL"}, "title": "MISP Core: Broken access control allows instance-wide unauthorized deletion of event reports and sharing groups via bulk deletion endpoints", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20094"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20094", "datePublished": "2026-06-22T11:54:10.298853Z", "dateUpdated": "2026-06-22T11:56:08.008149Z", "cveId": "CVE-2026-56423", "dateReserved": "2026-06-22T11:56:07.846Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ail-framework", "repo": "https://github.com/ail-project/ail-framework", "vendor": "ail-project", "versions": [{"lessThan": "6.8.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Aurelien Thirion"}, {"lang": "en", "type": "finder", "value": "Stephen O @SakusenSec"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>AIL framework contains a path traversal vulnerability in the <code>/objects/item/diff</code> endpoint. The endpoint accepts item identifiers through the <code>s1</code> and <code>s2</code> query parameters and, prior to the fix, attempted to retrieve and compare item contents without first verifying that both referenced items existed as valid AIL objects.</p><p>An authenticated AIL user could craft malicious item identifiers containing path traversal sequences to cause the application to read gzip-compressed files accessible to the AIL process. This could result in unauthorized disclosure of local file contents, limited to files readable by the application and compatible with the expected gzip-compressed item format.</p><p>The issue was fixed by validating that both requested items exist before their contents are accessed.</p><br>"}], "value": "AIL framework contains a path traversal vulnerability in the /objects/item/diff endpoint. The endpoint accepts item identifiers through the s1 and s2 query parameters and, prior to the fix, attempted to retrieve and compare item contents without first verifying that both referenced items existed as valid AIL objects.\n\nAn authenticated AIL user could craft malicious item identifiers containing path traversal sequences to cause the application to read gzip-compressed files accessible to the AIL process. This could result in unauthorized disclosure of local file contents, limited to files readable by the application and compatible with the expected gzip-compressed item format.\n\nThe issue was fixed by validating that both requested items exist before their contents are accessed."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/ail-project/ail-framework/commit/074f9a432702d39d7f8db07ece3a11502cf36d73"}], "source": {"discovery": "UNKNOWN"}, "title": "Authenticated Path Traversal in AIL framework /objects/item/diff Allows Reading Gzip-Compressed Files", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20114"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20114", "datePublished": "2026-06-19T08:03:34.981330Z", "dateUpdated": "2026-06-19T08:03:52.099550Z", "cveId": "CVE-2026-56138", "dateReserved": "2026-06-19T08:03:52.032Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}, {"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An authorization flaw in MISP\u2019s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.</p><p>An attacker could craft a request with <code>distribution</code> set to <code>4</code> and an arbitrary <code>sharing_group_id</code>, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.</p><br>"}], "value": "An authorization flaw in MISP\u2019s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.\n\nAn attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}, {"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/4fe48c523e66999d65f99fdec9508adb3aa1c0f3"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP object edit authorization bypass allows unauthorized sharing group assignment", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20070"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20070", "datePublished": "2026-06-12T21:07:14.650450Z", "dateUpdated": "2026-06-12T21:08:11.190809Z", "cveId": "CVE-2026-54398", "dateReserved": "2026-06-12T21:08:11.128Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A vulnerability in MISP\u2019s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event\u2019s <code>sharing_group_id</code> to a sharing group they were not authorized to use. When <code>distribution</code> was set to sharing group distribution, the non-REST save path accepted the submitted <code>sharing_group_id</code> without performing the same sharing group authorization check enforced by the REST edit path.</p><p>An attacker could exploit this by tampering with the event edit request and assigning an event to an undisclosed or unauthorized sharing group. This could result in unauthorized use of restricted sharing groups, disclosure of the sharing group name in event listings, and unintended modification of the event\u2019s distribution metadata.</p><p>The issue is fixed by validating that the selected sharing group can be used by the current user when the sharing group is changed, and by clearing <code>sharing_group_id</code> when the event distribution is not set to sharing group distribution.</p><br>"}], "value": "A vulnerability in MISP\u2019s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event\u2019s sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing group distribution, the non-REST save path accepted the submitted sharing_group_id without performing the same sharing group authorization check enforced by the REST edit path.\n\nAn attacker could exploit this by tampering with the event edit request and assigning an event to an undisclosed or unauthorized sharing group. This could result in unauthorized use of restricted sharing groups, disclosure of the sharing group name in event listings, and unintended modification of the event\u2019s distribution metadata.\n\nThe issue is fixed by validating that the selected sharing group can be used by the current user when the sharing group is changed, and by clearing sharing_group_id when the event distribution is not set to sharing group distribution."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.1, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/609ff6c785d7dae41d22ef43dda9347d34cd2a58"}], "source": {"discovery": "EXTERNAL"}, "title": "MISP event editing allows unauthorized assignment to undisclosed sharing groups", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20124"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20124", "datePublished": "2026-06-12T20:55:35.673197Z", "dateUpdated": "2026-06-12T20:55:46.810996Z", "cveId": "CVE-2026-54397", "dateReserved": "2026-06-12T20:55:46.737Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled <code>AuthKey.user_id</code> value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body."}], "value": "An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body."}], "impacts": [{"capecId": "CAPEC-54", "descriptions": [{"lang": "en", "value": "CAPEC-54 Query System for Information"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/42737f4e88df801486334690913dd344e447fac3"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP AuthKey edit endpoint allows authenticated user email enumeration", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20044"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "cveId": "CVE-2026-54396", "datePublished": "2026-06-12T20:45:00.000Z", "dateReserved": "2026-06-12T20:46:00.000Z", "dateUpdated": "2026-06-12T20:47:57.970104Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20044"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The <code>urlparams</code> value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted <code>searcheventinfo</code> value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim\u2019s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with <code>json_encode()</code> before applying HTML escaping at the attribute layer."}], "value": "MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim\u2019s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/b865deb036ca82dab272be260798f562034ba9ae"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP UiBeta event index reflected XSS in advanced filter popup", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20030"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "cveId": "CVE-2026-54395", "datePublished": "2026-06-12T20:34:00.000Z", "dateReserved": "2026-06-12T20:34:00.000Z", "dateUpdated": "2026-06-12T20:35:57.600048Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20030"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "MISP contains a path traversal vulnerability in <code>OrganisationsController::getOrgLogo</code>. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as <code>id</code>, <code>name</code>, and <code>uuid</code> without ensuring that the resolved file remains inside the intended <code>APP/files/img/orgs/</code> directory. An attacker able to influence an organisation field, for example the organisation name, could use path traversal sequences to cause MISP to return arbitrary readable <code>.png</code> or <code>.svg</code> files from outside the organisation logo directory. The issue is fixed by resolving candidate paths with <code>realpath()</code> and verifying that they remain under the expected base directory before serving the file."}], "value": "MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended APP/files/img/orgs/ directory. An attacker able to influence an organisation field, for example the organisation name, could use path traversal sequences to cause MISP to return arbitrary readable .png or .svg files from outside the organisation logo directory. The issue is fixed by resolving candidate paths with realpath() and verifying that they remain under the expected base directory before serving the file."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/b865deb036ca82dab272be260798f562034ba9ae"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP organisation logo path traversal allows retrieval of arbitrary PNG/SVG files", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20123"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20123", "datePublished": "2026-06-12T20:30:07.276457Z", "dateUpdated": "2026-06-12T20:30:17.372737Z", "cveId": "CVE-2026-54394", "dateReserved": "2026-06-12T20:30:17.302Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The <code>setHomePage</code> endpoint previously saved the user-controlled <code>path</code> value through <code>setSettingInternal()</code>, bypassing the normal <code>setSetting()</code> validation logic, including <code>validate_homepage</code>, which requires homepage paths to start with <code>/</code>. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload.</p><p>The stored value was later rendered in <code>app/View/News/index.ctp</code> as the <code>href</code> attribute of the \u201cContinue to homepage\u201d link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with.</p><p>The issue is fixed by always persisting the homepage setting through <code>setSetting()</code>, ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view.</p><br>"}], "value": "A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload.\n\nThe stored value was later rendered in app/View/News/index.ctp as the href attribute of the \u201cContinue to homepage\u201d link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with.\n\nThe issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2"}], "source": {"discovery": "EXTERNAL"}, "title": "MISP Overmind theme stored XSS via unvalidated homepage setting", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20036"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20036", "datePublished": "2026-06-12T20:16:32.896814Z", "dateUpdated": "2026-06-12T20:21:32.310190Z", "cveId": "CVE-2026-54393", "dateReserved": "2026-06-12T20:21:32.243Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user\u2019s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users."}], "value": "An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user\u2019s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/8aa2bb6d1af6e8c57c8d8437cf203acb8bce7a53"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP template builder exposes non-visible custom galaxies across organisations", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20008"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20008", "datePublished": "2026-06-12T20:06:54.852957Z", "dateUpdated": "2026-06-12T20:07:09.547667Z", "cveId": "CVE-2026-54362", "dateReserved": "2026-06-12T20:07:08.918Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as <code>id</code>, <code>org_id</code>, <code>orgc_id</code>, and <code>user_id</code>.</p><p>An authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data.</p><p>The issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths.</p><p><strong>Affected components:</strong></p><ul><li><code>CollectionsController::edit()</code></li><li><code>EventDelegationsController::delegateEvent()</code></li><li><code>ShadowAttributesController::edit()</code></li><li><code>TagCollectionsController::edit()915</code></li><li><code>TagCollectionsController::editWithTags()</code></li></ul><p><strong>Attack requirements:</strong><br>The attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required.</p><br>"}], "value": "MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as id, org_id, orgc_id, and user_id.\n\nAn authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data.\n\nThe issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths.\n\nAffected components:\n\n  *  CollectionsController::edit()\n  *  EventDelegationsController::delegateEvent()\n  *  ShadowAttributesController::edit()\n  *  TagCollectionsController::edit()915\n  *  TagCollectionsController::editWithTags()\n\n\nAttack requirements:\nThe attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/9341690e9b6dde7f0605edea5533e05ba7362e35"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP mass assignment vulnerabilities allow unauthorized modification of ownership and delegation records", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20068"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20068", "datePublished": "2026-06-12T19:59:32.150071Z", "dateUpdated": "2026-06-12T19:59:41.302526Z", "cveId": "CVE-2026-54361", "dateReserved": "2026-06-12T19:59:41.236Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A mass assignment vulnerability exists in MISP\u2019s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied <code>id</code> field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a <code>create()</code> followed by <code>save()</code> operation to update an existing record instead of creating a new one.</p><p>An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups.</p><p><strong>Affected component:</strong><br><code>app/Controller/SharingGroupsController.php</code>, <code>add()</code> action</p><br>"}], "value": "A mass assignment vulnerability exists in MISP\u2019s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one.\n\nAn authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups.\n\nAffected component:\napp/Controller/SharingGroupsController.php, add() action"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.4, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/687e7cb530ae0e2faaadf5e3e44712258fb3ef1b"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20120"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20120", "datePublished": "2026-06-12T19:51:28.662997Z", "dateUpdated": "2026-06-12T19:51:37.145352Z", "cveId": "CVE-2026-54360", "dateReserved": "2026-06-12T19:51:37.078Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jos\u00e9 Pedro Mo\u00e7o"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "MISP contains an insecure default configuration in which the <code>Security.check_sec_fetch_site_header</code> control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided <code>Sec-Fetch-Site</code> header. A remote unauthenticated attacker could craft a malicious web page that causes an authenticated MISP user\u2019s browser to issue cross-site requests to MISP automation endpoints. If successful, the forged requests may be processed with the privileges of the victim user, potentially allowing unauthorized modification of MISP data or configuration. Enabling <code>Security.check_sec_fetch_site_header</code> mitigates this issue, although operators of multi-homed MISP deployments should validate the setting before enforcing it."}], "value": "MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote unauthenticated attacker could craft a malicious web page that causes an authenticated MISP user\u2019s browser to issue cross-site requests to MISP automation endpoints. If successful, the forged requests may be processed with the privileges of the victim user, potentially allowing unauthorized modification of MISP data or configuration. Enabling Security.check_sec_fetch_site_header mitigates this issue, although operators of multi-homed MISP deployments should validate the setting before enforcing it."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/b82db1bcaa550689c05e1ed175e81f25a8d97b91"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP automation endpoints may be exposed to CSRF when Sec-Fetch-Site protection is disabled by default", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20040"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20040", "datePublished": "2026-06-12T19:44:03.403919Z", "dateUpdated": "2026-06-12T19:44:13.229452Z", "cveId": "CVE-2026-54359", "dateReserved": "2026-06-12T19:44:13.149Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "HE WEI"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own organization, but did not exclude accounts assigned a site administrator role from recipient queries. As a result, an organization administrator could perform privileged account-management actions, such as initiating a password reset workflow, against a higher-privileged site administrator account in the same organization.</p><p>Successful exploitation may allow an authenticated organization administrator to interfere with or potentially take over a site administrator account, resulting in privilege escalation and full compromise of the MISP instance\u2019s confidentiality, integrity, and availability.<br><br>Attack prerequisites:<br>The attacker must be authenticated as an organization administrator in the same organization as a site administrator account.<br></p><br>"}], "value": "An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own organization, but did not exclude accounts assigned a site administrator role from recipient queries. As a result, an organization administrator could perform privileged account-management actions, such as initiating a password reset workflow, against a higher-privileged site administrator account in the same organization.\n\nSuccessful exploitation may allow an authenticated organization administrator to interfere with or potentially take over a site administrator account, resulting in privilege escalation and full compromise of the MISP instance\u2019s confidentiality, integrity, and availability.\n\nAttack prerequisites:\nThe attacker must be authenticated as an organization administrator in the same organization as a site administrator account."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 7.5, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/146795489abef478c8f595ecde2501c32482b81e"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP organization administrators can target site administrator accounts for password reset", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20006"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20006", "datePublished": "2026-06-12T19:34:16.198371Z", "dateUpdated": "2026-06-12T19:34:30.813844Z", "cveId": "CVE-2026-54358", "dateReserved": "2026-06-12T19:34:30.744Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThan": "2.5.40", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "HE WEI\uff08\u30ae\u30ab\u30af)"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organization administrator could potentially view or alter site administrator user settings and related login profile information, crossing the intended privilege boundary between organization administration and site-wide administration.</p><p>The patch hardens the ACL logic by excluding site administrator accounts from organization administrator\u2013managed user sets, adding explicit authorization failure when a target user is not administrable, and ensuring user setting and login profile operations fail closed.</p><br>"}], "value": "An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organization administrator could potentially view or alter site administrator user settings and related login profile information, crossing the intended privilege boundary between organization administration and site-wide administration.\n\nThe patch hardens the ACL logic by excluding site administrator accounts from organization administrator\u2013managed user sets, adding explicit authorization failure when a target user is not administrable, and ensuring user setting and login profile operations fail closed."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/ed3d9b862dea4c8c8e9b620a5ad99ce0c2c82154"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP improper authorization allows organization administrators to modify site administrator user settings", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20084"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20084", "datePublished": "2026-06-12T19:25:13.040008Z", "dateUpdated": "2026-06-12T19:25:24.661452Z", "cveId": "CVE-2026-54357", "dateReserved": "2026-06-12T19:25:24.593Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.38", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}, {"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in <code>UsersController::edit()</code>. When processing edit requests, the application accepted a user-controlled <code>User.id</code> value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker\u2019s privileges, this could allow unauthorized modification of user account attributes and impact account integrity.</p><p>The issue was addressed by explicitly removing the <code>User.id</code> field from request data before processing the user edit operation.</p><p>\nIf MISP.disableUserSelfManagement is enabled on the instance, non-admin users can not use the vulnerable endpoint.<br></p><br>"}], "value": "A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker\u2019s privileges, this could allow unauthorized modification of user account attributes and impact account integrity.\n\nThe issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.\n\n\nIf MISP.disableUserSelfManagement is enabled on the instance, non-admin users can not use the vulnerable endpoint."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 9, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"url": "https://github.com/MISP/MISP/commit/1be8c413b7104a889dfd30c5b1986e3ab17238e8"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP user edit endpoint mass assignment vulnerability allows unauthorized user account modification", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20092"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "cveId": "CVE-2026-10868", "datePublished": "2026-06-04T14:37:00.000Z", "dateUpdated": "2026-06-12T06:57:43.643196Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20092"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.38", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jeroen Pinoy"}, {"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}, {"lang": "en", "type": "finder", "value": "Fase Rais Baradika"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as <code>($validationError === null &amp;&amp; POST) || DELETE</code>, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks."}], "value": "A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks."}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122 Privilege Abuse"}]}, {"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.9, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/a5877559dc88ad7a0c935910a652c130489ae2bd"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP CRUDComponent delete validation bypass via operator precedence error", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20080"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "cveId": "CVE-2026-10860", "datePublished": "2026-06-04T13:33:00.000Z", "dateUpdated": "2026-06-11T13:25:46.835801Z", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20080"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/MISP/MISP", "vendor": "misp", "versions": [{"lessThan": "2.5.39", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}, {"lang": "en", "type": "finder", "value": "Jos\u00e9 Pedro Mo\u00e7o"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>MISP instances with the <code>Security.check_sec_fetch_site_header</code> setting disabled may be exposed to cross-site request forgery attacks against state-changing endpoints, including automation endpoints. A remote unauthenticated attacker could craft a malicious web page or link that causes the browser of an authenticated MISP user to issue POST, PUT, or AJAX requests to the affected instance. If accepted by the application, those requests may be processed with the privileges of the victim user.</p><p>This issue is configuration-dependent. The upstream change introduces an administrative security warning for instances where <code>Security.check_sec_fetch_site_header</code> is not enabled. Enabling this setting is recommended because it restricts relevant requests to cases where the <code>Sec-Fetch-Site</code> header is absent or indicates <code>same-origin</code>. Operators of multi-homed instances should test before enabling, as this protection may interfere with deployments that are accessed through multiple hostnames or addresses.</p><p>Affected configuration:<br><code>Security.check_sec_fetch_site_header = false</code></p><p>Recommended mitigation:<br>Enable <code>Security.check_sec_fetch_site_header</code> where compatible with the deployment, and validate legitimate workflows on instances served under multiple hostnames.</p><br>"}], "value": "MISP instances with the Security.check_sec_fetch_site_header setting disabled may be exposed to cross-site request forgery attacks against state-changing endpoints, including automation endpoints. A remote unauthenticated attacker could craft a malicious web page or link that causes the browser of an authenticated MISP user to issue POST, PUT, or AJAX requests to the affected instance. If accepted by the application, those requests may be processed with the privileges of the victim user.\n\nThis issue is configuration-dependent. The upstream change introduces an administrative security warning for instances where Security.check_sec_fetch_site_header is not enabled. Enabling this setting is recommended because it restricts relevant requests to cases where the Sec-Fetch-Site header is absent or indicates same-origin. Operators of multi-homed instances should test before enabling, as this protection may interfere with deployments that are accessed through multiple hostnames or addresses.\n\nAffected configuration:\nSecurity.check_sec_fetch_site_header = false\n\nRecommended mitigation:\nEnable Security.check_sec_fetch_site_header where compatible with the deployment, and validate legitimate workflows on instances served under multiple hostnames."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 7.4, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "CLEAR", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/b82db1bcaa550689c05e1ed175e81f25a8d97b91"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP may be exposed to CSRF attacks when Sec-Fetch-Site enforcement is disabled", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20046"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20046", "datePublished": "2026-06-11T13:07:22.129989Z", "dateUpdated": "2026-06-11T13:08:27.777574Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "cerebrate", "repo": "https://github.com/cerebrate-project/cerebrate", "vendor": "cerebrate", "versions": [{"lessThan": "1.37", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Andras Iklody"}, {"lang": "en", "type": "finder", "value": "Claude Fable 5"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant\u2019s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, and CSV outputs, and could also be written unredacted into audit log entries for the inbox message.</p><p>An authenticated user with sufficient privileges to access inbox entries or related audit logs could retrieve password hashes associated with pending self-registration requests. Although the exposed value is a password hash rather than a plaintext password, disclosure of password hashes may enable offline password-cracking attempts and could increase risk where users reuse passwords across systems.</p><p>Cerebrate 1.37 fixes the issue by redacting sensitive <code>password</code> and <code>authkey</code> fields from inbox display/API output and recursively redacting those fields from JSON values written to audit logs, while leaving the stored registration payload intact for account creation processing.<br><br></p><p><strong>Affected component:</strong> Inbox self-registration request handling and audit logging</p><p><strong>Fixed version:</strong> Cerebrate 1.37</p><p></p><br>"}], "value": "Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant\u2019s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, and CSV outputs, and could also be written unredacted into audit log entries for the inbox message.\n\nAn authenticated user with sufficient privileges to access inbox entries or related audit logs could retrieve password hashes associated with pending self-registration requests. Although the exposed value is a password hash rather than a plaintext password, disclosure of password hashes may enable offline password-cracking attempts and could increase risk where users reuse passwords across systems.\n\nCerebrate 1.37 fixes the issue by redacting sensitive password and authkey fields from inbox display/API output and recursively redacting those fields from JSON values written to audit logs, while leaving the stored registration payload intact for account creation processing.\n\n\n\nAffected component: Inbox self-registration request handling and audit logging\n\nFixed version: Cerebrate 1.37"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"url": "https://github.com/cerebrate-project/cerebrate/commit/02da6d708d610c8509a1aab3f58f53f0a91d8a04."}], "source": {"discovery": "UNKNOWN"}, "title": "Cerebrate self-registration password hash exposure via inbox and audit log views", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20027"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20027", "datePublished": "2026-06-11T10:02:42.624185Z", "dateUpdated": "2026-06-11T10:02:55.904460Z", "cveId": "CVE-2026-53912", "dateReserved": "2026-06-11T10:02:55.809Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}]
