CVE-2026-54393

MEDIUM EPSS 29.6%

Published Jun 12, 20262w ago · Modified Jun 17, 20261w ago

5.1 CVSS 4.0

Medium

Published Jun 12, 2026 2w ago

Last Modified Jun 17, 2026 1w ago

Description

A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload. The stored value was later rendered in app/View/News/index.ctp as the href attribute of the “Continue to homepage” link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with. The issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view.

CVSS Details

Base Score

5.1

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction A

Scope X

Threat Intelligence

EPSS Exploit Probability

29.6% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

References 1

github.com https://github.com/MISP/MISP/commit/d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.