CVE Catalog

CVE-2026-8080

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile - higher than 4% of all known CVEs

Summary

In MISP versions before 2.5.37, there is a stored XSS vulnerability due to improper neutralization of input during web page generation. An attacker can input malicious values in the type and category fields of template element attributes.

Risk Assessment

This vulnerability may lead to the execution of malicious code in users' browsers, threatening data security and application integrity. It could allow attackers to steal sessions or perform other harmful actions.

Recommendation

It is recommended to upgrade MISP to version 2.5.37 or later to eliminate this vulnerability. Additionally, an audit of existing template attributes should be conducted to detect potentially malicious values.

Original NVD description (English source)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value. This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38

Vulnerability data from NVD (NIST) · CISA KEV · EPSS