CVE-2026-10861

MEDIUM EPSS 12.8%
Published Jun 4, 20263w ago · Modified Jun 22, 20261w ago
5.1 CVSS 4.0
Medium
Find Similar
Published Jun 4, 2026 3w ago
Last Modified Jun 22, 2026 1w ago

Description

An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com.

CVSS Details

Base Score
5.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
12.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-601

Affected Products 1

VendorProductVersionRange
misp-projectmisp* <2.5.39

References 1

  • github.com https://github.com/MISP/MISP/commit/ae760b7bf534f2798810d59a1f961b31adb3443e
    Patch

Remediation

  • github.com https://github.com/MISP/MISP/commit/ae760b7bf534f2798810d59a1f961b31adb3443e
    Patch