CVE-2026-9137
MEDIUM EPSS 28.4%
Published May 20, 20261mo ago · Modified Jun 22, 20261w ago
5.1 CVSS 4.0
Published May 20, 2026 1mo ago
Last Modified Jun 22, 2026 1w ago
Description
The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X
Threat Intelligence
EPSS Exploit Probability
28.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-400 Uncontrolled Resource Consumption Resource Mgmt
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| misp-project | misp | * | ≥2.5.0 – <2.5.38 |
References 1
- github.com https://github.com/MISP/MISP/commit/02932cccab230b295afcaf5aa05e363d30db0ec9
Remediation
- github.com https://github.com/MISP/MISP/commit/02932cccab230b295afcaf5aa05e363d30db0ec9