CVE-2026-8080

MEDIUM

MISP core - Stored XSS in MISP template (old engine) element attribute type

Title source: cna

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value. This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38

References (1)

Core 1

Core References

Patch patch

https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0

View Patch ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0014

EPSS Percentile 3.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

misp/misp < 2.5.37 (2 CPE variants)

Published May 07, 2026

Tracked Since May 07, 2026