CVE-2026-54393
Received Received - Intake
Stored XSS in MISP Overmind Theme Homepage Setting

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload. The stored value was later rendered in app/View/News/index.ctp as the href attribute of the β€œContinue to homepage” link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with. The issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-54393
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in MISP when using the Overmind theme. It occurs because the setHomePage endpoint saved a user-controlled path value without proper validation, bypassing the usual checks that require homepage paths to start with a '/'. An authenticated user could therefore store an arbitrary homepage value, including malicious JavaScript code.

Later, this stored value was rendered in the application as the href attribute of a "Continue to homepage" link without HTML escaping. This allowed the execution of attacker-controlled JavaScript in the browser of anyone viewing the affected MISP instance when they interacted with the crafted homepage link.

The issue was fixed by ensuring the homepage setting is always saved through the proper validation function and by HTML-escaping the homepage value before rendering it.

Impact Analysis

This vulnerability can allow an authenticated user to inject and store malicious JavaScript code within the MISP application. When other users view the affected page, the malicious script can execute in their browsers.

Potential impacts include theft of user session data, unauthorized actions performed on behalf of users, redirection to malicious sites, or other malicious behaviors enabled by executing attacker-controlled scripts in the context of the affected application.

Mitigation Strategies

To mitigate this vulnerability, ensure that the MISP instance is updated to a version where the homepage setting is always persisted through the setSetting() method, which applies proper validation and access checks.

Additionally, verify that the homepage value is HTML-escaped before rendering it in the news view to prevent execution of attacker-controlled JavaScript.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart