CVE-2026-54395
Received Received - Intake
Reflected XSS in MISP UiBeta Event Index View

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim’s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-54395
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) issue in the UiBeta event index view of MISP. It occurs because a URL parameter value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. However, browsers decode HTML attribute values before parsing JavaScript, allowing a specially crafted search event info value to restore encoded quote characters and break out of the JavaScript string. This enables an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim's browser within the context of the MISP instance.

The vulnerability is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary JavaScript code in the browser of a user who opens a maliciously crafted URL in the UiBeta event index view of MISP. This can lead to unauthorized actions such as stealing session tokens, performing actions on behalf of the user, or redirecting the user to malicious sites.

Mitigation Strategies

The vulnerability is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54395. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart