|
2871
|
- |
|
-
|
-
|
MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJA…
|
CWE-352
CWE-1188
Origin Validation Error
Insecure Default Initialization of Resource
|
CVE-2026-54359
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2872
|
- |
|
-
|
-
|
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-54360
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2873
|
- |
|
-
|
-
|
MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fi…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-54361
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2874
|
6.5 |
MEDIUM
Local
|
-
|
-
|
ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create co…
|
CWE-78
OS Command
|
CVE-2026-42853
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2875
|
8.1 |
HIGH
Network
|
-
|
-
|
ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived …
|
CWE-20
CWE-640
Improper Input Validation
Weak Password Recovery Mechanism for Forgotten Password
|
CVE-2026-45013
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2876
|
- |
|
-
|
-
|
An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom ac…
|
CWE-863
Incorrect Authorization
|
CVE-2026-54362
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2877
|
- |
|
-
|
-
|
MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and…
|
CWE-22
Path Traversal
|
CVE-2026-54394
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2878
|
- |
|
-
|
-
|
A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypa…
|
CWE-79
Cross-site Scripting
|
CVE-2026-54393
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2879
|
- |
|
-
|
-
|
MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quot…
|
CWE-79
Cross-site Scripting
|
CVE-2026-54395
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2880
|
- |
|
-
|
-
|
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacke…
|
CWE-200
Information Exposure
|
CVE-2026-54396
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
