CVE-2026-10854
4.3 MEDIUMA visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to o...
Published: 2026-06-04 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-200
Affected products
| Vendor | Product |
|---|---|
| misp | misp |
Description
A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-10864 — A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields we... (4.3 MEDIUM)
- CVE-2026-10863 — A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlle... (8.1 HIGH)
- CVE-2026-10860 — A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method (6.5 MEDIUM)
- CVE-2026-10861 — An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url... (6.1 MEDIUM)
- CVE-2026-10856 — A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while bei... (6.1 MEDIUM)
Same CWE
- CVE-2026-47177 — Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support
- CVE-2026-47176 — Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support
- CVE-2026-44486 — Axios is a promise based HTTP client for the browser and Node.js (7.5 HIGH)
- CVE-2026-53912 — Cerebrate before version 1.37 exposed credential material from self-registration requests
- CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)