CVE-2026-54395
Deferred Deferred - Pending Action

Reflected XSS in MISP UiBeta Event Index View

Vulnerability report for CVE-2026-54395, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description

MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim’s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-01
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) issue in the UiBeta event index view of MISP. It occurs because a URL parameter value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. However, browsers decode HTML attribute values before parsing JavaScript, allowing a specially crafted search event info value to restore encoded quote characters and break out of the JavaScript string. This enables an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim's browser within the context of the MISP instance.

The vulnerability is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary JavaScript code in the browser of a user who opens a maliciously crafted URL in the UiBeta event index view of MISP. This can lead to unauthorized actions such as stealing session tokens, performing actions on behalf of the user, or redirecting the user to malicious sites.

Mitigation Strategies

The vulnerability is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54395. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart