Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53693

CVE-2026-53693: MISP BSimVis Stored XSS Vulnerability

CVE-2026-53693 is a stored cross-site scripting flaw in MISP BSimVis tag rendering code that allows attackers to inject malicious scripts. This post covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-53693 Overview

CVE-2026-53693 is a stored cross-site scripting (XSS) vulnerability in MISP BSimVis through version v0.2.0. The flaw resides in client-side rendering code that interpolates tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS style values without context-appropriate escaping. An attacker who can create or influence stored tag or metadata values can inject a payload that executes in another user's browser when the affected BSimVis pages are rendered. The issue is classified under CWE-79.

Critical Impact

Successful exploitation executes arbitrary JavaScript in the victim's session, enabling attackers to act as the victim, read accessible data, or alter displayed application content.

Affected Products

  • MISP BSimVis through v0.2.0
  • Client-side rendering paths for tag badges, tooltips, and context menus
  • Cluster cards, autocomplete suggestions, and dynamically inserted tag cards

Discovery Timeline

  • 2026-06-10 - CVE-2026-53693 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-53693

Vulnerability Analysis

The vulnerability stems from unsanitized interpolation of attacker-controllable strings into multiple rendering contexts within the BSimVis front-end. Tag names, collection names, entity identifiers, cluster names, and associated metadata flow directly into HTML markup, HTML attribute values, inline JavaScript event handlers, and CSS style declarations. Each of these contexts requires different escaping rules, and the original code applied none of them consistently. The patch introduces shared escaping helpers covering HTML, attribute, JavaScript string, and CSS color contexts, then applies them across tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards.

Root Cause

The root cause is missing output encoding (CWE-79) in multiple client-side rendering paths. Because stored values are rendered into mixed contexts—HTML body, attributes, JavaScript, and CSS—a single escaping strategy was insufficient, and the absence of any consistent escaping allowed malicious payloads stored in MISP tag and metadata fields to survive into rendered output.

Attack Vector

An attacker with permission to create or modify tag, cluster, or metadata values stores a crafted payload. When another authenticated user loads a BSimVis page that displays the affected tag badge, tooltip, context menu, cluster card, or autocomplete suggestion, the payload executes in the victim's browser session.

javascript
// Security patch in bsimvis/app/static/js/utils.js
// Shared utilities for BSimVis

function escapeHtml(value) {
    return String(value ?? '')
        .replace(/&/g, '&')
        .replace(/</g, '<')
        .replace(/>/g, '>')
        .replace(/"/g, '"')
        .replace(/'/g, ''');
}

function escapeAttr(value) {
    return escapeHtml(value);
}

function jsString(value) {
    return JSON.stringify(String(value ?? ''))
        .replace(/</g, '\\\u003C')
        .replace(/>/g, '\\\u003E')
        .replace(/&/g, '\\\u0026')
        .replace(/\\u2028/g, '\\\u2028')
        .replace(/\\u2029/g, '\\\u2029');
}

function safeCssClassPart(value) {
    return String(value ?? '').replace(/[^a-zA-Z0-9_-]/g, '_');
}

function safeCssColor(value, fallback = '#66d9ef') {
    const color = String(value ?? '').trim();

Source: MISP/bsimvis commit 7bcd2c2

Detection Methods for CVE-2026-53693

Indicators of Compromise

  • Stored tag, cluster, or metadata values containing HTML markup such as <script>, <img onerror=...>, or javascript: URIs
  • Tag or cluster names containing attribute-breaking characters like ", ', >, or backticks
  • CSS color fields containing values outside expected hex or named-color patterns, including expression() or url()

Detection Strategies

  • Audit the MISP BSimVis backing store for tag, collection, entity, and cluster records whose names or metadata fail strict allow-list validation
  • Review browser Content Security Policy (CSP) violation reports for inline script or style execution originating from BSimVis pages
  • Inspect server-side logs for API or UI calls that create or update tags with payload-like strings

Monitoring Recommendations

  • Monitor user sessions on BSimVis pages for anomalous outbound requests or DOM changes consistent with XSS payload execution
  • Track creation and modification of tag and cluster metadata by low-trust accounts
  • Alert on repeated rendering of tag values containing HTML-sensitive characters that bypassed validation

How to Mitigate CVE-2026-53693

Immediate Actions Required

  • Upgrade MISP BSimVis to a release that includes commit 7bcd2c2e27647dccdfb71877e905fbb032124a63 or later
  • Review existing stored tag, collection, entity, cluster, and metadata values for previously injected payloads and remove or sanitize them
  • Restrict tag and metadata creation privileges to trusted users until the patch is applied

Patch Information

The fix is published in the MISP BSimVis repository. The patch adds shared escaping helpers (escapeHtml, escapeAttr, jsString, safeCssClassPart, safeCssColor) in bsimvis/app/static/js/utils.js and applies them across tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards. See the GitHub commit for the full change set.

Workarounds

  • Enforce a strict Content Security Policy that disallows unsafe-inline script and style execution on BSimVis pages
  • Apply server-side input validation that rejects HTML metacharacters in tag names, cluster names, and metadata fields
  • Limit BSimVis access to authenticated, trusted analysts until upgrades are complete
bash
# Example restrictive Content-Security-Policy header for BSimVis
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'";

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.