CVE-2026-10861
MISP post-login open redirect via pre_login_requested_url
An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com.
| CWE | CWE-601 |
| Vendor | misp |
| Product | misp |
| Published | Jun 4, 2026 |
| Last Updated | Jun 4, 2026 |
Get instant alerts for misp misp
Be the first to know when new unknown vulnerabilities affecting misp misp are published โ delivered to Slack, Telegram or Discord.