CVE-2026-10861— MISP 登录后通过预登录请求URL实现开放重定向漏洞
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2026-10861 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
MISP post-login open redirect via pre_login_requested_url
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
来源: 美国国家漏洞数据库 NVD
受影响产品
二、漏洞 CVE-2026-10861 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2026-10861 的情报信息
请登录查看更多情报信息。
CVE-2026-10861 补丁与修复 (1)
同批安全公告 · misp · 2026-06-04 · 共 8 条
| CVE-2026-10860 | MISP CRUDComponent 删除验证绕过漏洞 | |
| CVE-2026-10854 | MISP 事件模板创建中私有星系未授权暴露漏洞 | |
| CVE-2026-10856 | MISP仪表盘按钮小部件URL处理中的开放重定向漏洞 | |
| CVE-2026-10863 | MISP 用户可控排序参数导致过度关联 | |
| CVE-2026-10864 | MISP 仪表板小部件字段选择可能泄露受限用户和组织数据 | |
| CVE-2026-10868 | MISP用户编辑接口批量赋值漏洞,可致未授权修改用户账号 | |
| CVE-2026-10855 | MISP事件模板导入器授权绕过漏洞 |
IV. Related Vulnerabilities
V. Comments for CVE-2026-10861
暂无评论