Description
A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code. Several client-side rendering paths interpolated tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS style values without context-appropriate escaping. The patch adds shared escaping helpers for HTML, attributes, JavaScript strings, and CSS color validation, then applies them across tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards.

An attacker able to create or influence stored tag or metadata values could inject a crafted payload that is later rendered in another user’s browser. Successful exploitation could execute arbitrary JavaScript in the victim’s session when they view affected BSimVis pages, potentially allowing the attacker to perform actions as the victim, read data available to the victim, or alter displayed application content.



This issue affects MISP bsimvis: through v0.2.0.
Published: 2026-06-10
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in MISP BSimVis tag rendering logic. Tag names, collection names, entity identifiers, cluster names, and tag metadata are incorporated directly into HTML, HTML attributes, inline JavaScript events, and CSS style values without proper escaping, allowing an attacker to originate an HTML/JavaScript payload that is stored and later displayed to other users. If the payload is executed in a victim’s browser, the attacker can run arbitrary JavaScript within the victim’s session, enabling credential theft, session hijacking, data exfiltration, or manipulation of visible application content.

Affected Systems

The vulnerability affects the MISP BSimVis component, with affected versions up to and including v0.2.0. Any instance of the library prior to the patch that processes tag metadata in the rendering paths is impacted.

Risk and Exploitability

The reported CVSS score of 6.9 indicates a moderate severity. EPSS is unavailable, so the likelihood of exploitation is not quantified, and the flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with the ability to create or modify tag or metadata values, after which the injected content is stored and rendered to other users who view the affected BSimVis pages. The attack vector is therefore indirect and relies on user input that is not sanitized before storage.

Generated by OpenCVE AI on June 10, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MISP BSimVis to a version that includes the shared escaping helpers for HTML, attribute, JavaScript, and CSS contexts (the patch referenced in the commit).
  • If an upgrade is not immediately possible, restrict tag creation and editing privileges to trusted administrator accounts to limit the opportunity for malicious payload injection.
  • Apply a robust content security policy (CSP) that disallows scripting from untrusted sources on BSimVis pages to reduce the impact of any stored XSS payload.

Generated by OpenCVE AI on June 10, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code. Several client-side rendering paths interpolated tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS style values without context-appropriate escaping. The patch adds shared escaping helpers for HTML, attributes, JavaScript strings, and CSS color validation, then applies them across tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards. An attacker able to create or influence stored tag or metadata values could inject a crafted payload that is later rendered in another user’s browser. Successful exploitation could execute arbitrary JavaScript in the victim’s session when they view affected BSimVis pages, potentially allowing the attacker to perform actions as the victim, read data available to the victim, or alter displayed application content. This issue affects MISP bsimvis: through v0.2.0.
Title MISP BSimVis stored cross-site scripting in tag and cluster rendering paths via unescaped tag metadata and UI labels
Weaknesses CWE-116
CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-10T16:15:16.975Z

Reserved: 2026-06-10T14:33:02.581Z

Link: CVE-2026-53693

cve-icon Vulnrichment

Updated: 2026-06-10T16:15:13.469Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T16:17:16.917

Modified: 2026-06-10T20:11:16.543

Link: CVE-2026-53693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T18:15:17Z

Weaknesses