CVE-2026-9137

HIGH

CSP Report Endpoint Log Flooding via Incorrect Size Limit

Title source: cna

Description

The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.

References (1)

Core 1

Core References

Patch patch

https://github.com/MISP/MISP/commit/02932cccab230b295afcaf5aa05e363d30db0ec9

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0037

EPSS Percentile 28.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (2)

misp/misp 2.5.0 - 2.5.37

misp/misp 2.5.0 - 2.5.38

Published May 20, 2026

Tracked Since May 21, 2026