← All CVEs

CVE-2026-10860

HIGH 7.9

Published 2026-06-04 · Last modified 2026-06-11

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.

ELEVATED IMPACT

Severe if exploited (CVSS 7.9), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.2%chance of exploitation in 30 days · 10th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

7.9CVSS 4.0 · HIGH

  • ConfidentialityNone
  • IntegrityLow
  • AvailabilityLow

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Misp

Products Misp

Weakness (CWE)

  • CWE-863: Incorrect authorization

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H

Sources: NVD · CVE.org · EPSS