threat
engine
.sh
Back
·
··:··
Home
/
Product
/
misp
Product
misp
92 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-44381
< 2.5.37
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the han
5.3
MEDIUM
CVE-2026-44380
< 2.5.37
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the
7.2
HIGH
CVE-2026-44379
< 2.5.37
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID v
5.3
MEDIUM
CVE-2026-8080
< 2.5.37
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XS
5.4
MEDIUM
CVE-2026-39962
< 2.5.36
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in a
9.6
CRITICAL
CVE-2025-67906
< 2.5.28
In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path.
5.4
MEDIUM
CVE-2024-58130
< 2.4.193
In app/Controller/Component/RestResponseComponent.php in MISP before 2.4.193, REST endpoints have a lack of sanitization for non-J
7.2
HIGH
CVE-2024-58129
< 2.4.193
In MISP before 2.4.193, menu_custom_right_link_html parameters can be set via the UI (i.e., without using the CLI) and thus attack
5.5
MEDIUM
CVE-2024-58128
< 2.4.193
In MISP before 2.4.193, menu_custom_right_link parameters can be set via the UI (i.e., without using the CLI) and thus attackers w
5.5
MEDIUM
CVE-2024-57969
< 2.4.198
app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.
4.3
MEDIUM
CVE-2024-46918
< 2.4.198
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login f
4.9
MEDIUM
CVE-2024-45509
< 2.4.197
In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case wh
6.5
MEDIUM
CVE-2024-29859
< 2.4.187
In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
9.8
CRITICAL
CVE-2024-29858
< 2.4.187
In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload
9.8
CRITICAL
CVE-2024-25675
< 2.4.184
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is
9.8
CRITICAL
CVE-2024-25674
< 2.4.184
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file exte
9.8
CRITICAL
CVE-2023-50918
< 2.4.182
app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
9.8
CRITICAL
CVE-2023-49926
< 2.4.179
app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget.
6.1
MEDIUM
CVE-2023-41098
all versions
An issue was discovered in MISP 2.4.174. In app/Controller/DashboardsController.php, a reflected XSS issue exists via the id param
6.1
MEDIUM
CVE-2023-40224
all versions
MISP 2.4.174 allows XSS in app/View/Events/index.ctp.
6.1
MEDIUM
CVE-2022-48329
< 2.4.166
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.
9.8
CRITICAL
CVE-2022-48328
< 2.4.167
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
9.8
CRITICAL
CVE-2023-24028
all versions
In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
9.8
CRITICAL
CVE-2023-24027
all versions
In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.
6.1
MEDIUM
CVE-2023-24026
all versions
In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.
6.1
MEDIUM
CVE-2022-29534
< 2.4.158
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involvin
7.5
HIGH
CVE-2022-29533
< 2.4.158
An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "
6.1
MEDIUM
CVE-2022-29532
< 2.4.158
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in
4.8
MEDIUM
CVE-2022-29531
< 2.4.158
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.
5.4
MEDIUM
CVE-2022-29530
< 2.4.158
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.
5.4
MEDIUM
CVE-2022-29529
< 2.4.158
An issue was discovered in MISP before 2.4.158. There is stored XSS via the LinOTP login field.
5.4
MEDIUM
CVE-2022-29528
< 2.4.158
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
9.8
CRITICAL
CVE-2022-27246
< 2.4.156
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
6.1
MEDIUM
CVE-2022-27245
< 2.4.156
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This cou
8.8
HIGH
CVE-2022-27244
< 2.4.156
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name.
4.8
MEDIUM
CVE-2022-27243
< 2.4.156
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file set
7.8
HIGH
CVE-2021-41326
< 2.4.148
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
9.8
CRITICAL
CVE-2021-39302
all versions
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
9.8
CRITICAL
CVE-2021-37743
all versions
app/View/GalaxyElements/ajax/index.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster elements in JSON format.
5.4
MEDIUM
CVE-2021-37742
all versions
app/View/Elements/GalaxyClusters/view_relation_tree.ctp in MISP 2.4.147 allows Stored XSS when viewing galaxy cluster relationship
5.4
MEDIUM
CVE-2021-37534
all versions
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.
5.4
MEDIUM
CVE-2021-36212
< 2.4.146
app/View/SharingGroups/view.ctp in MISP before 2.4.146 allows stored XSS in the sharing groups view.
6.1
MEDIUM
CVE-2021-35502
all versions
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to ge
9.8
CRITICAL
CVE-2021-31780
all versions
In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an eve
7.5
HIGH
CVE-2021-27904
<= 2.4.139
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org
5.5
MEDIUM
CVE-2020-24085
all versions
A cross-site scripting (XSS) vulnerability exists in MISP v2.4.128 in app/Controller/UserSettingsController.php at SetHomePage() f
6.1
MEDIUM
CVE-2021-3184
all versions
MISP 2.4.136 has XSS via a crafted URL to the app/View/Elements/global_menu.ctp user homepage favourite button.
6.1
MEDIUM
CVE-2021-25325
all versions
MISP 2.4.136 has XSS via galaxy cluster element values to app/View/GalaxyElements/ajax/index.ctp. Reference types could contain ja
6.1
MEDIUM
CVE-2021-25324
all versions
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.
6.1
MEDIUM
CVE-2021-25323
all versions
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous pa
9.1
CRITICAL
CVE-2020-29572
all versions
app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.
6.1
MEDIUM
CVE-2020-29006
< 2.4.135
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.
9.8
CRITICAL
CVE-2020-28947
all versions
In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.
6.1
MEDIUM
CVE-2020-28043
<= 2.4.133
MISP through 2.4.133 allows SSRF in the REST client via the use_full_path parameter with an arbitrary URL.
7.5
HIGH
CVE-2020-25766
< 2.4.132
An issue was discovered in MISP before 2.4.132. It can perform an unwanted action because of a POST operation on a form that is no
7.5
HIGH
CVE-2020-15711
< 2.4.129
In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.
8.8
HIGH
CVE-2020-15412
all versions
An issue was discovered in MISP 2.4.128. app/Controller/EventsController.php lacks an event ACL check before proceeding to allow a
4.3
MEDIUM
CVE-2020-15411
all versions
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment dow
9.8
CRITICAL
CVE-2020-14969
all versions
app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute res
7.5
HIGH
CVE-2020-13153
< 2.4.126
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.
6.1
MEDIUM
CVE-2020-12889
all versions
MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across users in a remote-transform use case.
9.8
CRITICAL
CVE-2020-11458
< 2.4.124
app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This do
4.9
MEDIUM
CVE-2020-10247
all versions
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.
6.1
MEDIUM
CVE-2020-10246
all versions
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.
6.1
MEDIUM
CVE-2020-8894
< 2.4.121
An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.ph
6.5
MEDIUM
CVE-2020-8893
< 2.4.121
An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galax
7.5
HIGH
CVE-2020-8892
< 2.4.121
An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series
8.1
HIGH
CVE-2020-8891
< 2.4.121
An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of inv
5.9
MEDIUM
CVE-2020-8890
< 2.4.121
An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machin
5.9
MEDIUM
CVE-2019-19379
all versions
In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.
5.3
MEDIUM
CVE-2019-16202
< 2.4.115
MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked
6.5
MEDIUM
CVE-2019-14286
all versions
In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnerability exists in the event-graph view when a user toggles th
6.1
MEDIUM
CVE-2019-12868
all versions
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function
7.2
HIGH
CVE-2019-12794
all versions
An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the
6.6
MEDIUM
CVE-2019-11814
< 2.4.107
An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.107. There is persistent XSS via image names in titles, as de
6.1
MEDIUM
CVE-2019-11813
< 2.4.107
An issue was discovered in app/View/Elements/Events/View/value_field.ctp in MISP before 2.4.107. There is persistent XSS via link
6.1
MEDIUM
CVE-2019-11812
< 2.4.107
A persistent XSS issue was discovered in app/View/Helper/CommandHelper.php in MISP before 2.4.107. JavaScript can be included in t
6.1
MEDIUM
CVE-2019-10254
< 2.4.105
In MISP before 2.4.105, the app/View/Layouts/default.ctp default layout template has a Reflected XSS vulnerability.
6.1
MEDIUM
CVE-2019-9482
all versions
In MISP 2.4.102, an authenticated user can view sightings that they should not be eligible for. Exploiting this requires access to
5.3
MEDIUM
CVE-2018-19908
>= 2.4.90 and < 2.4.99
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename strin
8.8
HIGH
CVE-2018-12649
all versions
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection b
9.8
CRITICAL
CVE-2018-11562
all versions
An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user cli
6.1
MEDIUM
CVE-2018-11245
all versions
app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex type attributes.
6.1
MEDIUM
CVE-2018-8949
< 2.4.89
An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allow
4.3
MEDIUM
CVE-2018-8948
< 2.4.89
In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has multiple XSS issues via a malicious MISP module.
6.1
MEDIUM
CVE-2018-6926
all versions
In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red
7.2
HIGH
CVE-2017-16946
all versions
The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows ad
4.9
MEDIUM
CVE-2017-16802
all versions
In the sharingGroupPopulateOrganisations function in app/webroot/js/misp.js in MISP 2.4.82, there is XSS via a crafted organisatio
5.4
MEDIUM
CVE-2017-15216
<= 2.4.80
MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Si
6.1
MEDIUM
CVE-2017-14337
<= 2.4.79
When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external use
8.1
HIGH
CVE-2017-13671
<= 2.4.78
app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same ins
6.1
MEDIUM
CVE-2017-7215
<= 2.4.68
Cross site scripting in some view elements in the index filter tool in app/webroot/js/misp2.4.68.js and the organisation landing p
6.1
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin