QSearchQSearch

CVE-2026-10864

4.3 MEDIUM

A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields we...

Published: 2026-06-04 · Last updated: 2026-06-08

Severity and scoring

CVSS
4.3 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
CWE-200

Affected products

VendorProduct
mispmisp

Description

A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause the underlying query to fall back to returning unintended model fields. For the New Users widget, this could allow a non-site-admin user to obtain user e-mail addresses even when user e-mail disclosure was disabled by configuration. For the New Organisations widget, crafted field selection could similarly result in unintended organisation fields being included in the dashboard response. The issue was caused by applying field filtering and redaction in a way that could leave the selected field list empty. The patch ensures that the allowed field list is built safely, that restricted fields such as user e-mail addresses are removed before user-supplied field selection is processed, and that an empty field selection falls back only to the permitted default fields. Impact: An authenticated low-privileged user with access to the affected dashboard widgets may be able to disclose restricted user or organisation metadata, including user e-mail addresses depending on configuration.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-10863 A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlle... (8.1 HIGH)
  • CVE-2026-10860 A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method (6.5 MEDIUM)
  • CVE-2026-10861 An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url... (6.1 MEDIUM)
  • CVE-2026-10856 A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while bei... (6.1 MEDIUM)
  • CVE-2026-10855 An authorization flaw existed in the MISP Event Template Importer overwrite workflow (4.3 MEDIUM)

Same CWE

  • CVE-2026-47177 Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support
  • CVE-2026-47176 Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support
  • CVE-2026-44486 Axios is a promise based HTTP client for the browser and Node.js (7.5 HIGH)
  • CVE-2026-53912 Cerebrate before version 1.37 exposed credential material from self-registration requests
  • CVE-2026-49219 ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)