CVE-2026-9137 MEDIUM

CVE-2026-9137: CSP Report Endpoint Log Flooding in MISP via Incorrect Size Limit

Vendor Misp
Product misp
Weakness CWE-400
Published May 20, 2026
Last update May 29, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.

Key dates

02Disclosure timeline

May 20, 2026 CVE published
May 29, 2026 Record updated