Security Vulnerabilities
A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. In addition, the generated href concatenated the reconstructed URL with the original URL, increasing the possibility of unsafe or malformed link generation.
An attacker able to configure or influence a dashboard button URL could craft a button that appears to point inside the application but redirects users to an attacker-controlled site when clicked. This could be used for phishing, credential theft, or social engineering. The patch fixes the issue by rejecting empty paths and paths starting with /\, and by emitting only the reconstructed validated URL in the anchor href.
CVSS Score
5.1
EPSS Score
0.0
Published
2026-06-04
HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object.
CVSS Score
3.1
EPSS Score
0.0
Published
2026-06-04
HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .
CVSS Score
7.1
EPSS Score
0.0
Published
2026-06-04
A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
CVSS Score
1.1
EPSS Score
0.0
Published
2026-06-04
A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation leads to use of weak hash. Local access is required to approach this attack. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
CVSS Score
1.1
EPSS Score
0.0
Published
2026-06-04
HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-06-04
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.
CVSS Score
3.1
EPSS Score
0.0
Published
2026-06-04
HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.
CVSS Score
3.7
EPSS Score
0.001
Published
2026-06-04
The web administration panel binds broadly to the public IPv6 address space on port [::]:8080 without default firewall limits, making internal API endpoints reachable over the WAN.
CVSS Score
6.9
EPSS Score
0.0
Published
2026-06-04
The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-06-04