Misp-project Misp

121 CVEs affecting Misp-project Misp. Latest disclosed: 2026-06-22. Critical: 25, High: 24.

Top CVEs affecting Misp-project Misp
CVESeverityScorePublishedSummary
CVE-2026-10611Critical10.02026-06-02An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.m…
CVE-2024-29859Critical9.82024-03-21In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
CVE-2024-29858Critical9.82024-03-21In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
CVE-2024-25675Critical9.82024-02-09An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/Job…
CVE-2024-25674Critical9.82024-02-09An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
CVE-2023-50918Critical9.82023-12-15app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
CVE-2023-48659Critical9.82023-11-17An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing.
CVE-2023-48658Critical9.82023-11-17An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash, period, and space.
CVE-2023-48657Critical9.82023-11-17An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles filters.
CVE-2023-48656Critical9.82023-11-17An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order clauses.
CVE-2023-48655Critical9.82023-11-17An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters.
CVE-2022-48329Critical9.82023-02-20MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php…
CVE-2022-48328Critical9.82023-02-20app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
CVE-2023-24028Critical9.82023-01-20In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
CVE-2022-29528Critical9.82022-04-20An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
CVE-2021-41326Critical9.82021-09-17In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
CVE-2021-39302Critical9.82021-08-19MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
CVE-2021-35502Critical9.82021-06-25app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.
CVE-2020-29006Critical9.82020-11-24MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.
CVE-2020-15411Critical9.82020-06-30An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.