Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54393

CVE-2026-54393: MISP Overmind Theme XSS Vulnerability

CVE-2026-54393 is a stored XSS vulnerability in MISP when using the Overmind theme that allows authenticated attackers to inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-54393 Overview

CVE-2026-54393 is a stored cross-site scripting (XSS) vulnerability in the Malware Information Sharing Platform (MISP) when the Overmind theme is active. The setHomePage endpoint persisted user-controlled path values through setSettingInternal(), bypassing the setSetting() validation logic and the validate_homepage check that requires paths to begin with /. An authenticated user could store an arbitrary homepage value, including a JavaScript payload, that was later rendered unescaped in app/View/News/index.ctp.

Critical Impact

An authenticated MISP user can store an XSS payload in the homepage setting that executes in the browser context of any user interacting with the crafted “Continue to homepage” link.

Affected Products

  • MISP (Malware Information Sharing Platform) instances using the Overmind theme
  • MISP versions prior to commit d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2
  • MISP deployments where authenticated users can modify their homepage setting

Discovery Timeline

  • 2026-06-12 - CVE-2026-54393 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-54393

Vulnerability Analysis

The flaw is a stored cross-site scripting issue [CWE-79] in the MISP UserSettingsController. When the Overmind theme was selected, the setHomePage action routed the incoming path parameter directly into UserSetting->setSettingInternal(). This internal method bypassed the standard validation pipeline used by setSetting(), including the validate_homepage rule that enforces a leading / on path values.

The Exploit Prediction Scoring System (EPSS) currently estimates the probability of exploitation at 0.377% (29.36 percentile), reflecting limited but non-zero observed interest.

Root Cause

Two defects combine to produce the vulnerability. First, the controller branched on the active theme and invoked setSettingInternal() for Overmind users, skipping validate_homepage and the access checks normally enforced by setSetting(). Second, the news view template emitted the stored value directly into an href attribute without applying the CakePHP h() HTML-escaping helper.

Attack Vector

An authenticated MISP user submits a crafted path value to the setHomePage endpoint while the Overmind theme is active. The payload is persisted as the user's homepage setting. When the news view renders the “Continue to homepage” link, the unescaped value lands inside an href attribute, allowing attacker-controlled JavaScript to execute in the victim's browser session.

php
            if (empty($this->request->data['path'])) {
                throw new InvalidArgumentException(__('No path POSTed.'));
            }
-            if ($this->theme === "Overmind") {
-                $result = $this->UserSetting->setSettingInternal(
-                    $this->Auth->user('id'),
-                    'homepage',
-                    ['path' => $this->request->data['path']]
-                );
-            } else {
-                $setting = array(
-                    'UserSetting' => array(
-                        'user_id' => $this->Auth->user('id'),
-                        'setting' => 'homepage',
-                        'value' => ['path' => $this->request->data['path']],
-                    )
-                );
-                $result = $this->UserSetting->setSetting($this->Auth->user(), $setting);
-            }
+            $setting = array(
+                'UserSetting' => array(
+                    'user_id' => $this->Auth->user('id'),
+                    'setting' => 'homepage',
+                    'value' => ['path' => $this->request->data['path']],
+                )
+            );
+            // Always persist through setSetting() so validation and access checks run.

Source: MISP GitHub Commit d4733ca

Detection Methods for CVE-2026-54393

Indicators of Compromise

  • Entries in the user_settings table where setting = 'homepage' and the stored path value does not begin with /
  • Homepage path values containing javascript:, data:, <script, or HTML event handlers such as onerror= and onclick=
  • Outbound requests from MISP user browsers to unexpected domains following navigation from the News view

Detection Strategies

  • Audit the MISP user_settings table for malformed or script-bearing homepage entries and flag any value failing the validate_homepage rule
  • Review web server access logs for POST requests to /user_settings/setHomePage originating from accounts using the Overmind theme
  • Inspect rendered HTML of app/View/News/index.ctp in test sessions to confirm the h() escaping helper is applied to the homepage href

Monitoring Recommendations

  • Enable MISP audit logging for user setting changes and forward events to a centralized log platform for correlation
  • Apply a Content Security Policy (CSP) that disallows inline JavaScript and javascript: URIs to limit XSS execution
  • Track which users have the Overmind theme selected and review any homepage modifications they performed before patching

How to Mitigate CVE-2026-54393

Immediate Actions Required

  • Update MISP to a build that includes commit d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2 or later
  • Inspect existing user_settings rows with setting = 'homepage' and remove or normalize any values that do not begin with /
  • Force re-authentication of active MISP sessions after cleanup to invalidate any in-flight exploitation attempts

Patch Information

The fix in commit d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2 removes the theme-conditional branch in UserSettingsController::setHomePage and routes all homepage updates through setSetting(). This ensures the validate_homepage rule and access checks run for every request. The patch also wraps the homepage value in the CakePHP h() helper inside app/View/News/index.ctp, applying HTML escaping before the value is emitted into the href attribute. See the MISP GitHub Commit Update for the full diff.

Workarounds

  • Switch affected users away from the Overmind theme to a theme that does not trigger the vulnerable code branch
  • Restrict access to the setHomePage endpoint at the reverse proxy until the patch is applied
  • Manually purge homepage values from the user_settings table to clear any previously stored XSS payloads
bash
# Identify potentially malicious homepage settings stored in MISP
mysql -u misp -p misp -e "SELECT id, user_id, value FROM user_settings WHERE setting='homepage' AND value NOT LIKE '%\"path\":\"/%';"

# Remove suspect entries after review
mysql -u misp -p misp -e "DELETE FROM user_settings WHERE setting='homepage' AND value NOT LIKE '%\"path\":\"/%';"

# Pull the patched MISP source
cd /var/www/MISP
sudo -u www-data git fetch origin
sudo -u www-data git checkout d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.