Luciano Righetti

#11999of 53,633
22.8Total CVSS
Vulnerabilities · 3
Medium
2
Critical
1
PT-2026-45744
10
2026-06-02
Misp · Misp · CVE-2026-10611
**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** An authentication bypass occurs when LDAP mixed authentication is enabled alongside OTP enforcement. In configurations where `LdapAuth.mixedAuth` is set to `true` and `Security.require otp` is set to `true`, the application may establish an authenticated session during the `beforeFilter` phase before the standard login flow enforces the OTP challenge. This allows an attacker with valid primary credentials to bypass the OTP step by authenticating via the plugin-backed flow and directly accessing an application URL, gaining access without a valid TOTP, HOTP, or email OTP code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2026-42189
6.0
2026-05-20
Misp · Misp · CVE-2026-9084
**Name of the Vulnerable Software and Affected Versions** MISP (affected versions not specified) **Description** The OIDC authentication plugin allows automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account lacks a stored `sub` value. In scenarios with insecure or untrusted Identity Provider (IdP) configurations where email ownership is not verified, an attacker possessing a valid OIDC token can assert a victim's email address to authenticate as that user, resulting in account takeover. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2026-38424
6.8
2026-05-07
Misp · Misp · CVE-2026-8080
**Name of the Vulnerable Software and Affected Versions** MISP versions prior to 2.5.37 **Description** A stored cross-site scripting issue exists in the template element attribute handling logic. The application fails to validate arbitrary values for the `TemplateElementAttribute` type and category fields against known attribute type and category definitions. This allows an attacker with permissions to create or modify template element attributes to store a crafted type value. This issue specifically affects the old templating engine, which is no longer accessible in version 2.5.37 and is scheduled for removal in version 2.5.38. **Recommendations** Update to version 2.5.37 or later.