CVE-2026-8080

UNKNOWN 0.0

MISP core - Stored XSS in MISP template (old engine) element attribute type

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value. This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38

CWE	CWE-79
Vendor	misp
Product	misp
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for misp misp

Be the first to know when new unknown vulnerabilities affecting misp misp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

misp / misp

0 < 2.5.37

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0

Credits

Luciano Righetti Bjørn Helseth (TV 2 Norway)