CVE-2026-8080 MEDIUM

CVE-2026-8080: MISP core - Stored XSS in MISP template (old engine) element attribute type

Vendor Misp

Product misp

Weakness CWE-79 · XSS

Published May 7, 2026

Last update May 7, 2026

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Green

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value. This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38

Key dates

02Disclosure timeline

May 7, 2026 CVE published

May 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-8080 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-8080: MISP core - Stored XSS in MISP template (old engine) element attribute type

01Description

02Disclosure timeline

03References

04Related CVE