Description
MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim’s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the UiBeta event index view of MISP. A malicious URL contains a crafted searcheventinfo parameter that is inserted into an inline JavaScript handler using HTML escaping inside a single‑quoted string. Because browsers decode HTML entities before parsing JavaScript, an attacker can inject quote characters that break out of the string, allowing arbitrary JavaScript execution in the victim’s browser context. This flaw is classified as CWE‑79 and can be exploited to steal credentials, deface, or perform actions on behalf of the authenticated user.

Affected Systems

MISP (misp:misp) is affected. No specific version information is disclosed in the advisory; users should check the vendor’s release notes for the presence of the described fix.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. The EPSS score is not reported, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting that widespread exploitation has not yet occurred. The likely attack vector is a web‑based HTTP request containing a malicious URL. An attacker who convinces a user to visit a crafted link while logged into MISP can inject and execute JavaScript in that user’s browser, potentially compromising session data and the integrity of the application.

Generated by OpenCVE AI on June 12, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MISP to the latest release that includes the XSS fix (the commit b865deb0 implements the fix).
  • If an upgrade is not immediately possible, modify the handling of urlparams in the event index so that the value is first encoded as a JavaScript string literal with json_encode() before applying HTML escaping.
  • Enable Content Security Policy (CSP) headers to restrict inline script execution and mitigate the impact of any remaining reflected XSS payloads.

Generated by OpenCVE AI on June 12, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim’s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.
Title MISP UiBeta event index reflected XSS in advanced filter popup
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-12T20:36:09.244Z

Reserved: 2026-06-12T20:34:55.208Z

Link: CVE-2026-54395

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:25.293

Modified: 2026-06-12T21:16:25.293

Link: CVE-2026-54395

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:45:28Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')