CVE Catalog

CVE-2026-10861

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile - higher than 13% of all known CVEs

Summary

An open redirect vulnerability existed in MISP UsersController::routeafterlogin() where the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path.

Risk Assessment

An unauthenticated remote attacker could craft a link that redirects a victim to a malicious site after successful authentication, increasing the credibility of phishing attacks and leading to data theft.

Recommendation

It is recommended to apply the patch that decodes and parses the URL, rejecting those with invalid schemes, hosts, and paths to prevent open redirects.

Original NVD description (English source)

An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS