CVE-2026-10854
MEDIUM EPSS 7.4%
Published Jun 4, 20263w ago · Modified Jun 22, 20266d ago
5.3 CVSS 4.0
Published Jun 4, 2026 3w ago
Last Modified Jun 22, 2026 6d ago
Description
A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
7.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| misp-project | misp | * | <2.5.39 |
References 1
- github.com https://github.com/MISP/MISP/commit/d3adfe1a097dd4b403364e9af34e208660eeec1a
Remediation
- github.com https://github.com/MISP/MISP/commit/d3adfe1a097dd4b403364e9af34e208660eeec1a