Tue, Jun 02 · 02:16 PM CDTCVE-2026-10611
10.0/10 · Must read/watchNVDvuln
Summary
An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established
CVECVE-2026-10611
SeverityCRITICAL
TypeUPDATED
PublishedTue, Jun 02 · 02:16 PM CDT
ModifiedMon, Jun 22 · 07:23 PM CDT
Fri, Jun 22 · 02:29 PM CDTCVE-2018-12649
9.8/10 · Must read/watchNVDvuln
Summary
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.
CVECVE-2018-12649
SeverityCRITICAL
TypeUPDATED
PublishedFri, Jun 22 · 02:29 PM CDT
ModifiedMon, Jun 22 · 07:23 PM CDT
Tue, Jun 30 · 02:15 PM CDTCVE-2020-15411
9.8/10 · Must read/watchNVDvuln
Summary
An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.
CVECVE-2020-15411
SeverityCRITICAL
TypeUPDATED
PublishedTue, Jun 30 · 02:15 PM CDT
ModifiedMon, Jun 22 · 07:23 PM CDT
Tue, Nov 24 · 03:15 PM CSTCVE-2020-29006
9.8/10 · Must read/watchNVDvuln
Summary
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.
CVECVE-2020-29006
SeverityCRITICAL
TypeUPDATED
PublishedTue, Nov 24 · 03:15 PM CST
ModifiedMon, Jun 22 · 07:23 PM CDT
Fri, Jun 25 · 09:15 PM CDTCVE-2021-35502
9.8/10 · Must read/watchNVDvuln
Summary
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data related to generic-template:index.
CVECVE-2021-35502
SeverityCRITICAL
TypeUPDATED
PublishedFri, Jun 25 · 09:15 PM CDT
ModifiedMon, Jun 22 · 07:23 PM CDT
Thu, Aug 19 · 05:15 PM CDTCVE-2021-39302
9.8/10 · Must read/watchNVDvuln
Summary
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
CVECVE-2021-39302
SeverityCRITICAL
TypeUPDATED
PublishedThu, Aug 19 · 05:15 PM CDT
ModifiedMon, Jun 22 · 07:23 PM CDT
Fri, Sep 17 · 06:15 PM CDTCVE-2021-41326
9.8/10 · Must read/watchNVDvuln
Summary
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call.
CVECVE-2021-41326
SeverityCRITICAL
TypeUPDATED
PublishedFri, Sep 17 · 06:15 PM CDT
ModifiedMon, Jun 22 · 07:23 PM CDT
Wed, Apr 20 · 11:15 PM CDTCVE-2022-29528
9.8/10 · Must read/watchNVDvuln
Summary
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
CVECVE-2022-29528
SeverityCRITICAL
TypeUPDATED
PublishedWed, Apr 20 · 11:15 PM CDT
ModifiedMon, Jun 22 · 07:23 PM CDT
Mon, Feb 20 · 04:15 AM CSTCVE-2022-48328
9.8/10 · Must read/watchNVDvuln
Summary
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
CVECVE-2022-48328
SeverityCRITICAL
TypeUPDATED
PublishedMon, Feb 20 · 04:15 AM CST
ModifiedMon, Jun 22 · 07:23 PM CDT
Mon, Feb 20 · 04:15 AM CSTCVE-2022-48329
9.8/10 · Must read/watchNVDvuln
Summary
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php.
CVECVE-2022-48329
SeverityCRITICAL
TypeUPDATED
PublishedMon, Feb 20 · 04:15 AM CST
ModifiedMon, Jun 22 · 07:23 PM CDT
Fri, Dec 15 · 06:15 PM CSTCVE-2023-50918
9.8/10 · Must read/watchNVDvuln
Summary
app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
CVECVE-2023-50918
SeverityCRITICAL
TypeUPDATED
PublishedFri, Dec 15 · 06:15 PM CST
ModifiedMon, Jun 22 · 07:23 PM CDT
Fri, Feb 09 · 09:15 AM CSTCVE-2024-25674
9.8/10 · Must read/watchNVDvuln
Summary
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
CVECVE-2024-25674
SeverityCRITICAL
TypeUPDATED
PublishedFri, Feb 09 · 09:15 AM CST
ModifiedMon, Jun 22 · 07:23 PM CDT
Fri, Feb 09 · 09:15 AM CSTCVE-2024-25675
9.8/10 · Must read/watchNVDvuln
Summary
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.
CVECVE-2024-25675
SeverityCRITICAL
TypeUPDATED
PublishedFri, Feb 09 · 09:15 AM CST
ModifiedMon, Jun 22 · 07:23 PM CDT
Thu, Mar 21 · 04:15 AM CDTCVE-2024-29858
9.8/10 · Must read/watchNVDvuln
Summary
In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
CVECVE-2024-29858
SeverityCRITICAL
TypeUPDATED
PublishedThu, Mar 21 · 04:15 AM CDT
ModifiedMon, Jun 22 · 07:23 PM CDT
Thu, Mar 21 · 04:15 AM CDTCVE-2024-29859
9.8/10 · Must read/watchNVDvuln
Summary
In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
CVECVE-2024-29859
SeverityCRITICAL
TypeUPDATED
PublishedThu, Mar 21 · 04:15 AM CDT
ModifiedMon, Jun 22 · 07:23 PM CDT
Tue, Dec 10 · 06:15 PM CSTCVE-2024-53866
9.8/10 · Must read/watchNVDvuln
Summary
The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation).
CVECVE-2024-53866
SeverityCRITICAL
TypeUPDATED
PublishedTue, Dec 10 · 06:15 PM CST
ModifiedMon, Jun 22 · 02:38 PM CDT
Thu, Mar 05 · 04:16 PM CSTCVE-2026-30783
9.8/10 · Must read/watchNVDvuln
Summary
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program rout
CVECVE-2026-30783
SeverityCRITICAL
TypeUPDATED
PublishedThu, Mar 05 · 04:16 PM CST
ModifiedMon, Jun 22 · 02:16 PM CDT
Thu, Mar 05 · 04:16 PM CSTCVE-2026-30789
9.8/10 · Must read/watchNVDvuln
Summary
Use of Password Hash With Insufficient Computational Effort, Improper Restriction of Excessive Authentication Attempts vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Password Brute Forcing. The authentication pro
CVECVE-2026-30789
SeverityCRITICAL
TypeUPDATED
PublishedThu, Mar 05 · 04:16 PM CST
ModifiedMon, Jun 22 · 02:16 PM CDT
Mon, Apr 06 · 05:17 PM CDTCVE-2026-34977
9.8/10 · Must read/watchNVDvuln
Summary
Aperi'Solve is an open-source steganalysis web platform. In versions 3.1.3 through 3.2.0, when uploading a JPEG, a user can specify an optional password to accompany the JPEG. This password is then directly passed into an expect command, which is then subsequently passed into a bash -c command, without any form of sani
CVECVE-2026-34977
SeverityCRITICAL
TypeUPDATED
PublishedMon, Apr 06 · 05:17 PM CDT
ModifiedTue, Jun 23 · 12:16 AM CDT
Wed, May 20 · 02:16 AM CDTCVE-2026-6555
9.8/10 · Must read/watchNVDvuln
Summary
The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and uploaded to a web-acces
CVECVE-2026-6555
SeverityCRITICAL
TypeUPDATED
PublishedWed, May 20 · 02:16 AM CDT
ModifiedTue, Jun 23 · 02:16 AM CDT
Thu, Apr 09 · 05:16 PM CDTCVE-2026-39962
9.6/10 · Must read/watchNVDvuln
Summary
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instea
CVECVE-2026-39962
SeverityCRITICAL
TypeUPDATED
PublishedThu, Apr 09 · 05:16 PM CDT
ModifiedMon, Jun 22 · 07:23 PM CDT
Mon, May 18 · 03:16 PM CDTCVE-2026-41948
9.4/10 · Must read/watchNVDvuln
Summary
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in tas
CVECVE-2026-41948
SeverityCRITICAL
TypeUPDATED
PublishedMon, May 18 · 03:16 PM CDT
ModifiedMon, Jun 22 · 06:16 PM CDT
Tue, Jan 19 · 04:15 PM CSTCVE-2021-25323
9.1/10 · Must read/watchNVDvuln
Summary
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
CVECVE-2021-25323
SeverityCRITICAL
TypeUPDATED
PublishedTue, Jan 19 · 04:15 PM CST
ModifiedMon, Jun 22 · 07:23 PM CDT
Mon, May 18 · 03:16 PM CDTCVE-2026-41947
9.1/10 · Must read/watchNVDvuln
Summary
Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to redirect all messages
CVECVE-2026-41947
SeverityCRITICAL
TypeUPDATED
PublishedMon, May 18 · 03:16 PM CDT
ModifiedMon, Jun 22 · 06:16 PM CDT
Thu, May 28 · 09:16 AM CDTCVE-2026-4408
9.0/10 · Must read/watchNVDvuln
Summary
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-c
CVECVE-2026-4408
SeverityCRITICAL
TypeUPDATED
PublishedThu, May 28 · 09:16 AM CDT
ModifiedTue, Jun 23 · 08:16 AM CDT