A stored cross‑site scripting vulnerability exists in MISP’s legacy templating engine. The engine accepts arbitrary values for template element attribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes can store a crafted value that results in malicious JavaScript being injected into pages viewed by other users, enabling session hijacking, credential theft, or other malicious actions performed in the victim’s browser.

All installations of MISP core with a version older than 2.5.37 that use the legacy templating engine are affected. The vulnerable code resides in the old template element attribute handling logic, which the product removes in version 2.5.38.

The CVSS score of 6.8 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation. Exploitation requires that an attacker be authenticated and have permission to create or modify template element attributes; no additional prerequisites are needed. Once the permission is granted, the attacker can inject malicious code that will be rendered whenever an affected page is loaded by any user. Because the flaw depends on privileged credentials and is not widespread, organizations with strict role‑based access controls may mitigate the risk by restricting template editing rights.