CVE-2026-10856 in MISP
Summary
by MITRE • 06/04/2026
A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. In addition, the generated href concatenated the reconstructed URL with the original URL, increasing the possibility of unsafe or malformed link generation.
An attacker able to configure or influence a dashboard button URL could craft a button that appears to point inside the application but redirects users to an attacker-controlled site when clicked. This could be used for phishing, credential theft, or social engineering. The patch fixes the issue by rejecting empty paths and paths starting with /\, and by emitting only the reconstructed validated URL in the anchor href.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
This vulnerability represents a sophisticated input validation flaw that exploits browser URL parsing inconsistencies to bypass security controls. The issue manifests in the MISP dashboard button widget where URL validation logic fails to properly sanitize paths that begin with a slash followed by a backslash pattern such as /\example.com. This specific pattern exploits a normalization behavior in web browsers where backslashes are converted to forward slashes during URL processing, effectively transforming what appears to be a local path into an external scheme-relative URL. The vulnerability stems from inadequate validation of URL components and fails to account for browser-specific URL parsing behaviors that can lead to unexpected navigation targets. The flaw is particularly dangerous because it allows attackers to create buttons that visually appear to point to internal application resources while actually redirecting users to external malicious domains.
The technical implementation of this vulnerability involves multiple layers of validation failure that create a dangerous gap in the security model. Traditional URL validation mechanisms correctly reject explicit schemes, hosts, and user components, but fail to properly handle edge cases involving path normalization. The presence of paths beginning with /\ triggers a browser normalization process that converts the backslash to a forward slash, effectively creating a scheme-relative URL that browsers interpret as external navigation. This normalization behavior creates a fundamental mismatch between the application's validation logic and actual browser interpretation. Additionally, the href generation process compounds the issue by concatenating the reconstructed validated URL with the original URL, creating potential for malformed or unsafe link construction that could be exploited in various attack scenarios.
The operational impact of this vulnerability extends beyond simple redirection and creates significant risks for user security and application integrity. Attackers who can influence dashboard button configuration can craft malicious buttons that appear legitimate to users while performing unauthorized external navigation. This capability enables sophisticated phishing campaigns where users are deceived into visiting malicious sites that appear to be part of the trusted MISP application. The vulnerability also increases the risk of credential theft and social engineering attacks since users may unknowingly navigate to attacker-controlled domains while believing they are performing routine application tasks. The attack surface is particularly concerning in enterprise environments where MISP dashboards are used for security monitoring and incident response, as these systems often contain sensitive information and user credentials.
The remediation approach addresses the core validation issues by implementing stricter path validation rules that explicitly reject empty paths and paths beginning with the dangerous /\ pattern. This solution directly targets the normalization vulnerability by preventing the creation of URLs that could be transformed into external navigation targets through browser processing. The fix also modifies the href generation logic to ensure that only the reconstructed validated URL is used, eliminating the concatenation that previously created opportunities for malformed link generation. This approach aligns with established security practices for URL handling and input validation, and addresses the specific CWE categories related to input validation and URL parsing. The solution effectively closes the attack vector while maintaining the intended functionality of the dashboard button widget, preventing the exploitation of browser URL normalization behaviors that were previously leveraged by attackers to bypass security controls. This remediation demonstrates the importance of considering browser-specific URL processing behaviors during security validation and highlights the need for comprehensive testing of input validation logic against various normalization scenarios.