CVE-2026-53693 Overview
CVE-2026-53693 is a stored cross-site scripting (XSS) vulnerability in MISP BSimVis through version v0.2.0. The flaw resides in client-side rendering code that interpolates tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS style values without context-appropriate escaping. An attacker who can create or influence stored tag or metadata values can inject a payload that executes in another user's browser when the affected BSimVis pages are rendered. The issue is classified under CWE-79.
Critical Impact
Successful exploitation executes arbitrary JavaScript in the victim's session, enabling attackers to act as the victim, read accessible data, or alter displayed application content.
Affected Products
- MISP BSimVis through v0.2.0
- Client-side rendering paths for tag badges, tooltips, and context menus
- Cluster cards, autocomplete suggestions, and dynamically inserted tag cards
Discovery Timeline
- 2026-06-10 - CVE-2026-53693 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-53693
Vulnerability Analysis
The vulnerability stems from unsanitized interpolation of attacker-controllable strings into multiple rendering contexts within the BSimVis front-end. Tag names, collection names, entity identifiers, cluster names, and associated metadata flow directly into HTML markup, HTML attribute values, inline JavaScript event handlers, and CSS style declarations. Each of these contexts requires different escaping rules, and the original code applied none of them consistently. The patch introduces shared escaping helpers covering HTML, attribute, JavaScript string, and CSS color contexts, then applies them across tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards.
Root Cause
The root cause is missing output encoding (CWE-79) in multiple client-side rendering paths. Because stored values are rendered into mixed contexts—HTML body, attributes, JavaScript, and CSS—a single escaping strategy was insufficient, and the absence of any consistent escaping allowed malicious payloads stored in MISP tag and metadata fields to survive into rendered output.
Attack Vector
An attacker with permission to create or modify tag, cluster, or metadata values stores a crafted payload. When another authenticated user loads a BSimVis page that displays the affected tag badge, tooltip, context menu, cluster card, or autocomplete suggestion, the payload executes in the victim's browser session.
// Security patch in bsimvis/app/static/js/utils.js
// Shared utilities for BSimVis
function escapeHtml(value) {
return String(value ?? '')
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''');
}
function escapeAttr(value) {
return escapeHtml(value);
}
function jsString(value) {
return JSON.stringify(String(value ?? ''))
.replace(/</g, '\\\u003C')
.replace(/>/g, '\\\u003E')
.replace(/&/g, '\\\u0026')
.replace(/\\u2028/g, '\\\u2028')
.replace(/\\u2029/g, '\\\u2029');
}
function safeCssClassPart(value) {
return String(value ?? '').replace(/[^a-zA-Z0-9_-]/g, '_');
}
function safeCssColor(value, fallback = '#66d9ef') {
const color = String(value ?? '').trim();
Source: MISP/bsimvis commit 7bcd2c2
Detection Methods for CVE-2026-53693
Indicators of Compromise
- Stored tag, cluster, or metadata values containing HTML markup such as <script>, <img onerror=...>, or javascript: URIs
- Tag or cluster names containing attribute-breaking characters like ", ', >, or backticks
- CSS color fields containing values outside expected hex or named-color patterns, including expression() or url()
Detection Strategies
- Audit the MISP BSimVis backing store for tag, collection, entity, and cluster records whose names or metadata fail strict allow-list validation
- Review browser Content Security Policy (CSP) violation reports for inline script or style execution originating from BSimVis pages
- Inspect server-side logs for API or UI calls that create or update tags with payload-like strings
Monitoring Recommendations
- Monitor user sessions on BSimVis pages for anomalous outbound requests or DOM changes consistent with XSS payload execution
- Track creation and modification of tag and cluster metadata by low-trust accounts
- Alert on repeated rendering of tag values containing HTML-sensitive characters that bypassed validation
How to Mitigate CVE-2026-53693
Immediate Actions Required
- Upgrade MISP BSimVis to a release that includes commit 7bcd2c2e27647dccdfb71877e905fbb032124a63 or later
- Review existing stored tag, collection, entity, cluster, and metadata values for previously injected payloads and remove or sanitize them
- Restrict tag and metadata creation privileges to trusted users until the patch is applied
Patch Information
The fix is published in the MISP BSimVis repository. The patch adds shared escaping helpers (escapeHtml, escapeAttr, jsString, safeCssClassPart, safeCssColor) in bsimvis/app/static/js/utils.js and applies them across tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards. See the GitHub commit for the full change set.
Workarounds
- Enforce a strict Content Security Policy that disallows unsafe-inline script and style execution on BSimVis pages
- Apply server-side input validation that rejects HTML metacharacters in tag names, cluster names, and metadata fields
- Limit BSimVis access to authenticated, trusted analysts until upgrades are complete
# Example restrictive Content-Security-Policy header for BSimVis
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

