Vulnerability Details CVE-2026-9137
The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.7%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-9137
-
cpe:2.3:a:misp:misp:2.5.0
-
cpe:2.3:a:misp:misp:2.5.1
-
cpe:2.3:a:misp:misp:2.5.10
-
cpe:2.3:a:misp:misp:2.5.11
-
cpe:2.3:a:misp:misp:2.5.12
-
cpe:2.3:a:misp:misp:2.5.13
-
cpe:2.3:a:misp:misp:2.5.14
-
cpe:2.3:a:misp:misp:2.5.15
-
cpe:2.3:a:misp:misp:2.5.16
-
cpe:2.3:a:misp:misp:2.5.17
-
cpe:2.3:a:misp:misp:2.5.18
-
cpe:2.3:a:misp:misp:2.5.19
-
cpe:2.3:a:misp:misp:2.5.2
-
cpe:2.3:a:misp:misp:2.5.20
-
cpe:2.3:a:misp:misp:2.5.21
-
cpe:2.3:a:misp:misp:2.5.22
-
cpe:2.3:a:misp:misp:2.5.23
-
cpe:2.3:a:misp:misp:2.5.24
-
cpe:2.3:a:misp:misp:2.5.25
-
cpe:2.3:a:misp:misp:2.5.26
-
cpe:2.3:a:misp:misp:2.5.27
-
cpe:2.3:a:misp:misp:2.5.28
-
cpe:2.3:a:misp:misp:2.5.29
-
cpe:2.3:a:misp:misp:2.5.3
-
cpe:2.3:a:misp:misp:2.5.30
-
cpe:2.3:a:misp:misp:2.5.31
-
cpe:2.3:a:misp:misp:2.5.32
-
cpe:2.3:a:misp:misp:2.5.33
-
cpe:2.3:a:misp:misp:2.5.34
-
cpe:2.3:a:misp:misp:2.5.35
-
cpe:2.3:a:misp:misp:2.5.36
-
cpe:2.3:a:misp:misp:2.5.4
-
cpe:2.3:a:misp:misp:2.5.5
-
cpe:2.3:a:misp:misp:2.5.6
-
cpe:2.3:a:misp:misp:2.5.7
-
cpe:2.3:a:misp:misp:2.5.8
-
cpe:2.3:a:misp:misp:2.5.9