{"id":"CVE-2026-10861","summary":"MISP post-login open redirect via pre_login_requested_url","details":"An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path.\n\n\n\n\nAn unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence. \n\n\n\n\nThe patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\\example.com.","modified":"2026-07-15T01:49:00.586717451Z","published":"2026-06-04T13:26:05.465Z","database_specific":{"cna_assigner":"CIRCL","cwe_ids":["CWE-601"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10861.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10861.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10861"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/ae760b7bf534f2798810d59a1f961b31adb3443e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/misp/misp","events":[{"introduced":"0"},{"fixed":"82e9c4f22879e3f32f60f5857aac0e829152bc76"},{"fixed":"ae760b7bf534f2798810d59a1f961b31adb3443e"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.5.39"}],"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:*"}}],"versions":["v2.5.37","v2.5.38","v2.5.36","v2.5.35","v2.5.34","v2.5.33","v2.5.32","v2.5.31","v2.5.30","v2.5.29","v2.5.28","v2.5.27","v2.5.26","v2.5.25","v2.5.24","v2.5.23","v2.5.22","v2.5.21","v2.5.20","v2.5.19","v2.5.18","v2.5.17","v2.5.16","v2.5.15","v2.5.12","v2.5.14","v2.5.13","v2.5.11","v2.5.10","v2.5.9","v2.5.8","v2.5.7","v2.5.0","v2.4.196","v2.4.195","v2.4.194","v2.4.193","v2.4.192","v2.4.191","v2.4.190","v2.4.189","v2.4.188","v2.4.187","v2.4.186","v2.4.175","v2.4.185","v2.4.183","v2.4.184","v2.4.153","v2.4.152","v2.4.137","v2.4.136","v2.4.134","v2.4.133","v2.4.130","v2.4.128","v2.4.127","v2.4.125","v2.4.123","v2.4.122","v2.4.121","v2.4.120","v2.4.118","v2.4.111","rm","v2.4.110","v2.4.109","codename/tellurium","v2.4.107","v2.4.106","v2.4.102","v2.4.101","v2.4.100","v2.4.98","v2.4.96","v2.4.95","v2.4.94","v2.4.93","v2.4.91","v2.4.89","v2.4.88","v2.4.87","v2.4.86","v2.4.85","v2.4.83","v2.4.82","v2.4.80","v2.4.78","v2.4.65","v2.4.64","v2.4.63","v2.4.62","v2.4.61","v2.4.60","v2.4.59","v2.4.58","v2.4.57","v2.4.56","v2.4.54","v2.4.53","v2.4.52","v2.4.51","v2.4.50","v2.4.48","v2.4.47","v2.4.46","v2.4.45","v2.4.43","v2.4.39","v2.4.38","v2.4.37","v2.4.36","v2.4.35","v2.4.34","v2.4.27","v2.4.26","v2.4.25","v2.4.24","v2.4.23","v2.4.22","v2.4.21","v2.4.20","v2.4.18","v2.4.17","v2.4.16","v2.4.15","v2.4.14","v2.4.13","v2.4.11","v2.4.10","v2.4.9","v2.4.7","v2.4.5","v2.4.4","v2.4.3","v2.4.2","v2.4.1","v2.4.0","v2.3.0","v0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10861.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/U:Green"}]}