CVE-2026-54395
MISP UiBeta event index reflected XSS in advanced filter popup
MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victimβs browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.
| CWE | CWE-79 |
| Vendor | misp |
| Product | misp |
| Published | Jun 12, 2026 |
Get instant alerts for misp misp
Be the first to know when new unknown vulnerabilities affecting misp misp are published β delivered to Slack, Telegram or Discord.