Description
A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. In addition, the generated href concatenated the reconstructed URL with the original URL, increasing the possibility of unsafe or malformed link generation.




An attacker able to configure or influence a dashboard button URL could craft a button that appears to point inside the application but redirects users to an attacker-controlled site when clicked. This could be used for phishing, credential theft, or social engineering. The patch fixes the issue by rejecting empty paths and paths starting with /\, and by emitting only the reconstructed validated URL in the anchor href.
Published: 2026-06-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in MISP’s dashboard button widget allowed an attacker to define a URL that appears local but is interpreted by browsers as an external address. The validation rejected explicit schemes, hosts, or user components but tolerated paths beginning with a slash followed by a backslash, such as \/example.com. Browsers normalize backslashes to forward slashes, turning the path into a scheme‑relative link that redirects to an attacker controlled site. The resulting open redirect can be used for phishing, credential theft, or social engineering, without exposing system data or code execution capabilities.

Affected Systems

This issue impacts MISP, the open‑source threat intelligence platform, particularly versions that deploy the dashboard button widget. Vendor and product information is recorded as misp:misp, but specific released versions are not listed in the current data. All instances allowing the creation or alteration of dashboard button URLs are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 5.1 the vulnerability is classified as moderate severity. No EPSS or KEV presence is reported. The attack vector is user interaction: an attacker who can influence the configuration of a button can embed a malicious link that looks legitimate. Because the redirect occurs client‑side, exploitation is limited to deceiving users rather than compromising the server or broader system state. The risk is primarily to users’ credentials and confidentiality of sensitive data they may enter on external sites.

Generated by OpenCVE AI on June 4, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MISP to the latest release that removes the validation loophole and emits only the reconstructed, validated URL in the anchor tag.
  • If an upgrade is not immediately possible, disable or remove the dashboard button widget, or limit its configuration to trusted internal URLs and explicitly reject any path beginning with /\.
  • Audit existing button configurations and restrict who can create or edit them; ensure only privileged administrators can alter button URLs that might be exposed to users.

Generated by OpenCVE AI on June 4, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. In addition, the generated href concatenated the reconstructed URL with the original URL, increasing the possibility of unsafe or malformed link generation. An attacker able to configure or influence a dashboard button URL could craft a button that appears to point inside the application but redirects users to an attacker-controlled site when clicked. This could be used for phishing, credential theft, or social engineering. The patch fixes the issue by rejecting empty paths and paths starting with /\, and by emitting only the reconstructed validated URL in the anchor href.
Title Open redirect in MISP dashboard button widget URL handling
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/U:Green'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-04T13:47:11.511Z

Reserved: 2026-06-04T13:15:28.245Z

Link: CVE-2026-10856

cve-icon Vulnrichment

Updated: 2026-06-04T13:47:08.033Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T14:16:37.947

Modified: 2026-06-08T13:59:08.217

Link: CVE-2026-10856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:00:15Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')