CVEFinder.io

CVE-2026-9137

⚠️ high
πŸ” Scan for this CVE
Summary

The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.

CVSS Score
7.5
High
EPSS Score
0.4
Exploit Probability
Published Date
2026-05-20
First Seen: 2026-05-21
πŸ“Š Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 68.9% of all 329,778 vulnerabilities in our database.

#102,523
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 20, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Partial
Limited system impact
πŸ† Discovered By
Seth Kraft
SSVC data provided by CISA
Last Modified 2026-06-22
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)

πŸ“¦ Affected Products 2

πŸ”— References 1

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-56423 ⚠️ high 8.8 0.3 MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The a... 2026-06-22
CVE-2026-56424 ⚠️ high 8.8 0.4 MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong ent... 2026-06-22
CVE-2026-56446 ⚠️ high 7.2 0.4 MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool... 2026-06-22
CVE-2026-56447 ⚠️ high 7.2 0.3 MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path... 2026-06-22
CVE-2026-10854 πŸ”Ά medium 4.3 0.2 A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxi... 2026-06-04
CVE-2026-10855 πŸ”Ά medium 4.3 0.2 An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template i... 2026-06-04
These CVEs affect the same products