CSP Report Endpoint Log Flooding via Incorrect Size Limit

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.

Basic Information

ID CVE-2026-9137

Source CIRCL

Published May 20, 2026 at 18:43

Affected Product

Vendor misp

Product misp

Version 2.5.0

Affected Versions misp misp 2.5.0

CWE Classification

CWE-400

References

github.com /MISP/MISP/commit/02932cccab230b295afcaf5aa05e363d30db0ec9

{
    "lastseen": "",
    "description": "The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.",
    "published": "2026-05-20T18:43:30.895Z",
    "modified": "2026-05-20T18:43:30.895Z",
    "type": "cve",
    "title": "CSP Report Endpoint Log Flooding via Incorrect Size Limit",
    "source": "CIRCL",
    "references": "https://github.com/MISP/MISP/commit/02932cccab230b295afcaf5aa05e363d30db0ec9",
    "id": "CVE-2026-9137",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "misp misp 2.5.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "misp",
    "version": "2.5.0",
    "vendor": "misp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

CSP Report Endpoint Log Flooding via Incorrect Size Limit_CVE-2026-9137