CVE-2026-10856
Undergoing Analysis Undergoing Analysis - In Progress
Open Redirect in MISP Dashboard Button Widget

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. In addition, the generated href concatenated the reconstructed URL with the original URL, increasing the possibility of unsafe or malformed link generation. An attacker able to configure or influence a dashboard button URL could craft a button that appears to point inside the application but redirects users to an attacker-controlled site when clicked. This could be used for phishing, credential theft, or social engineering. The patch fixes the issue by rejecting empty paths and paths starting with /\, and by emitting only the reconstructed validated URL in the anchor href.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-04
AI Q&A
2026-06-04
EPSS Evaluated
N/A
NVD
CVE-2026-10856
EUVD
EUVD-2026-34262
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp to 2026-10-01 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a URL validation flaw in the MISP dashboard button widget. It allowed specially crafted URLs that looked like local paths but were interpreted by browsers as external URLs. The validation incorrectly accepted paths starting with a slash followed by a backslash (e.g., /\example.com), which some browsers normalize into external navigation targets. This flaw enabled attackers who could configure dashboard button URLs to create buttons that appeared to link inside the application but actually redirected users to attacker-controlled sites.

The vulnerability arises because the validation rejected URLs with explicit schemes, hosts, or user components but did not properly reject certain malformed paths. Additionally, the generated link concatenated the reconstructed URL with the original URL, increasing the chance of unsafe or malformed links.


How can this vulnerability impact me? :

An attacker who can influence or configure a dashboard button URL could exploit this vulnerability to craft a button that appears to link within the application but actually redirects users to a malicious external site.

  • Phishing attacks by redirecting users to fake login or credential collection pages.
  • Credential theft by tricking users into entering sensitive information on attacker-controlled sites.
  • Social engineering attacks leveraging the trust users place in the application interface.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves crafted relative-looking URLs in the MISP dashboard button widget that appear local but redirect to external attacker-controlled sites. Detection involves inspecting dashboard button URLs for suspicious patterns such as paths starting with a slash followed by a backslash (e.g., /\example.com) or malformed URLs that could be interpreted as external links.

You can detect potential exploitation by reviewing the URLs configured in dashboard buttons for these patterns. Since this is a web application issue, commands to extract and analyze these URLs might include searching the MISP database or configuration files for button URLs containing suspicious sequences.

  • Use grep or similar tools to search for URLs starting with '/\' in MISP configuration or database exports.
  • Example command: grep -r '\/\\' /path/to/misp/config_or_exports
  • Review logs or HTTP traffic for unexpected redirects or external URL requests originating from dashboard button clicks.

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation is to apply the patch that fixes the URL validation flaw in the MISP dashboard button widget. This patch rejects empty paths and paths starting with a slash followed by a backslash, and ensures only properly validated URLs are used in the href attribute.

Until the patch is applied, avoid configuring or allowing dashboard buttons with URLs that could be crafted to exploit this vulnerability.

  • Update MISP to the version including the fix from commit f879f16fb5db7a9aab0a70fdcafea12ce4847e9a.
  • Audit existing dashboard button URLs and remove or correct any that contain suspicious patterns such as paths starting with '/\'.
  • Educate users to avoid clicking on dashboard buttons with unexpected or suspicious URLs.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an attacker to craft URLs that appear to be local but redirect users to attacker-controlled external sites, potentially enabling phishing, credential theft, or social engineering attacks.

Such attacks could lead to unauthorized access to sensitive information or user credentials, which may result in non-compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive data.

However, the provided information does not explicitly state the direct impact on compliance with these standards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart