CVE-2026-8080
MEDIUM EPSS 3.7%
Published May 7, 20261mo ago · Modified Jun 22, 20261w ago
6.8 CVSS 4.0
Published May 7, 2026 1mo ago
Last Modified Jun 22, 2026 1w ago
Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value. This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction A
Scope X
Threat Intelligence
EPSS Exploit Probability
3.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| misp-project | misp | * | <2.5.37 |
References 1
- github.com https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0
Remediation
- github.com https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0