|
2691
|
- |
|
-
|
-
|
An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organiza…
|
CWE-639
CWE-863
Authorization Bypass Through User-Controlled Key
Incorrect Authorization
|
CVE-2026-54357
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2692
|
- |
|
-
|
-
|
An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functio…
|
CWE-863
Incorrect Authorization
|
CVE-2026-54358
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2693
|
- |
|
-
|
-
|
MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJA…
|
CWE-352
CWE-1188
Origin Validation Error
Insecure Default Initialization of Resource
|
CVE-2026-54359
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2694
|
- |
|
-
|
-
|
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-54360
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2695
|
- |
|
-
|
-
|
MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fi…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-54361
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2696
|
6.5 |
MEDIUM
Local
|
-
|
-
|
ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create co…
|
CWE-78
OS Command
|
CVE-2026-42853
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2697
|
8.1 |
HIGH
Network
|
-
|
-
|
ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived …
|
CWE-20
CWE-640
Improper Input Validation
Weak Password Recovery Mechanism for Forgotten Password
|
CVE-2026-45013
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2698
|
- |
|
-
|
-
|
An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom ac…
|
CWE-863
Incorrect Authorization
|
CVE-2026-54362
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2699
|
- |
|
-
|
-
|
MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and…
|
CWE-22
Path Traversal
|
CVE-2026-54394
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2700
|
- |
|
-
|
-
|
A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypa…
|
CWE-79
Cross-site Scripting
|
CVE-2026-54393
|
2026-06-16 05:46 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
