Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54395

CVE-2026-54395: MISP UiBeta XSS Vulnerability

CVE-2026-54395 is a reflected XSS vulnerability in MISP's UiBeta event index view that allows attackers to execute arbitrary JavaScript through crafted URLs. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-54395 Overview

CVE-2026-54395 is a reflected cross-site scripting (XSS) vulnerability in MISP, the open-source threat intelligence sharing platform. The flaw resides in the UiBeta event index view, where the urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Browsers HTML-decode attribute values before JavaScript parsing, so a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker can craft a malicious URL that executes arbitrary JavaScript in the victim's browser within the context of the MISP instance. The issue is tracked under [CWE-79].

Critical Impact

Successful exploitation lets an attacker run arbitrary JavaScript in an authenticated MISP user's session, enabling theft of session data, manipulation of threat intelligence, or further actions on behalf of the victim.

Affected Products

  • MISP (Malware Information Sharing Platform) — UiBeta theme
  • MISP app/View/Themed/UiBeta/Events/index.ctp event index view
  • MISP app/Controller/OrganisationsController.php organisation logo handler (related fix in the same commit)

Discovery Timeline

  • 2026-06-12 - CVE-2026-54395 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-54395

Vulnerability Analysis

The vulnerability stems from improper output encoding when reflecting the urlparams value into an inline onclick handler. The original template applied PHP's h() HTML-escaping function to $urlparams and placed the result inside a single-quoted JavaScript string within an HTML attribute. Browsers first HTML-decode the attribute value, then hand the result to the JavaScript parser. An attacker who submits a searcheventinfo query parameter containing HTML-encoded single quotes (such as ') causes the decoded value to terminate the JavaScript string literal and inject arbitrary script code.

The attacker-supplied script then runs in the victim's authenticated MISP session. The vulnerability requires the victim to visit a crafted URL while using the UiBeta event index, and the attacker must hold low-privilege access to deliver the link to a target user.

Root Cause

The root cause is a context-mismatched encoding strategy. HTML escaping is appropriate for HTML body content but is insufficient inside a JavaScript string literal that resides within an HTML attribute. The correct approach is to serialize the value as a JavaScript string with json_encode(), then apply HTML escaping at the attribute layer.

Attack Vector

The attack requires network access and authenticated, low-privilege access to MISP. An attacker constructs a URL containing a malicious searcheventinfo parameter and delivers it through phishing or other social channels. When a victim opens the link in the UiBeta event index view, the payload executes in their browser.

php
// Vulnerable pattern (before fix):
// <button ... onclick="getPopup('<?= h($urlparams) ?>', 'events', 'filterEventIndex')">
//
// Fixed pattern in app/View/Themed/UiBeta/Events/index.ctp:
<button class="btn btn-default beta-advanced-filter-button"
        onclick="getPopup(<?= h(json_encode($urlparams)) ?>, 'events', 'filterEventIndex')">
    <i class="fa fa-search"></i> <?= __('Advanced Filter...') ?>
</button>
// json_encode emits a properly-escaped JS string literal; h() then guards the
// attribute layer. Plain h($urlparams) inside a single-quoted JS string is unsafe:
// the browser HTML-decodes the onclick value before JS parsing, restoring any
// ' and allowing a crafted searcheventinfo value to break out (XSS).

Source: MISP commit b865deb

Detection Methods for CVE-2026-54395

Indicators of Compromise

  • HTTP requests to MISP UiBeta event index endpoints containing searcheventinfo parameters with HTML-encoded quote characters such as ', ', or %26%23039%3B.
  • Unexpected <script> execution, eval, or DOM modifications originating from inline onclick handlers on the event index page.
  • Outbound browser requests from MISP users to attacker-controlled domains immediately after loading a filtered event index URL.

Detection Strategies

  • Inspect web server and reverse-proxy access logs for query strings targeting the UiBeta events index with suspicious characters or encoded quotes in filter parameters.
  • Deploy a Content Security Policy (CSP) report-only mode and review violation reports for inline script execution on event index pages.
  • Use static analysis on MISP templates to flag any h($variable) usage inside JavaScript string contexts in .ctp files.

Monitoring Recommendations

  • Forward MISP application and proxy logs to a centralized analytics platform and alert on anomalous query parameter patterns matching encoded-quote signatures.
  • Track session activity following suspicious URL visits, focusing on API calls executed shortly after a UiBeta page load.
  • Monitor for unexpected modifications to threat intelligence records that correlate with browsing sessions of authenticated MISP users.

How to Mitigate CVE-2026-54395

Immediate Actions Required

  • Apply the upstream MISP patch from commit b865deb036ca82dab272be260798f562034ba9ae or upgrade to the next MISP release that includes it.
  • Restrict access to the MISP instance with network controls and require strong authentication while the patch is rolled out.
  • Notify MISP users to avoid clicking unsolicited links pointing to the event index view until patching is verified.

Patch Information

The fix encodes $urlparams as a JavaScript string literal using json_encode() before applying h() at the attribute layer. The same commit also hardens OrganisationsController.php against a related path traversal issue in organisation logo handling by using realpath() and a base directory prefix check. See the MISP security commit for the full diff.

Workarounds

  • Switch users away from the UiBeta theme to the default MISP theme until the patch is deployed.
  • Deploy a strict Content Security Policy that blocks inline script execution and disallows untrusted script sources.
  • Place a web application firewall rule in front of MISP that rejects requests containing encoded quote sequences in event search parameters.
bash
# Example: pull the upstream fix into an existing MISP deployment
cd /var/www/MISP
sudo -u www-data git fetch origin
sudo -u www-data git cherry-pick b865deb036ca82dab272be260798f562034ba9ae
sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates
sudo systemctl restart apache2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.