CVE-2026-8080 | THREATINT

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value. This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38

PUBLISHED Reserved 2026-05-07 | Published 2026-05-07 | Updated 2026-05-07 | Assigner CIRCL

MEDIUM: 6.8CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

Any version before 2.5.37

affected

Credits

Luciano Righetti remediation developer

Bjørn Helseth (TV 2 Norway) finder

References

github.com/...ommit/62824e5ca0056d01b195f70466ea0d382cca06d0 patch

cve.org (CVE-2026-8080)

nvd.nist.gov (CVE-2026-8080)

Download JSON