Misp-project Misp
121 CVEs affecting Misp-project Misp. Latest disclosed: 2026-06-22. Critical: 25, High: 24.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-10611 | Critical | 10.0 | 2026-06-02 | An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.m… |
CVE-2024-29859 | Critical | 9.8 | 2024-03-21 | In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload. |
CVE-2024-29858 | Critical | 9.8 | 2024-03-21 | In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload. |
CVE-2024-25675 | Critical | 9.8 | 2024-02-09 | An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/Job… |
CVE-2024-25674 | Critical | 9.8 | 2024-02-09 | An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. |
CVE-2023-50918 | Critical | 9.8 | 2023-12-15 | app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs. |
CVE-2023-48659 | Critical | 9.8 | 2023-11-17 | An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing. |
CVE-2023-48658 | Critical | 9.8 | 2023-11-17 | An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php lacks a checkParam function for alphanumerics, underscore, dash, period, and space. |
CVE-2023-48657 | Critical | 9.8 | 2023-11-17 | An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles filters. |
CVE-2023-48656 | Critical | 9.8 | 2023-11-17 | An issue was discovered in MISP before 2.4.176. app/Model/AppModel.php mishandles order clauses. |
CVE-2023-48655 | Critical | 9.8 | 2023-11-17 | An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters. |
CVE-2022-48329 | Critical | 9.8 | 2023-02-20 | MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php… |
CVE-2022-48328 | Critical | 9.8 | 2023-02-20 | app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters. |
CVE-2023-24028 | Critical | 9.8 | 2023-01-20 | In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function. |
CVE-2022-29528 | Critical | 9.8 | 2022-04-20 | An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur. |
CVE-2021-41326 | Critical | 9.8 | 2021-09-17 | In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. |
CVE-2021-39302 | Critical | 9.8 | 2021-08-19 | MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. |
CVE-2021-35502 | Critical | 9.8 | 2021-06-25 | app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index. |
CVE-2020-29006 | Critical | 9.8 | 2020-11-24 | MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php. |
CVE-2020-15411 | Critical | 9.8 | 2020-06-30 | An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader. |