cvedb.io
CVE-2026-10860
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-06-04T15:16:49.433 · Last modified 2026-06-22T19:23:18.580

Summary

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.

Affected products

misp-project — misp

Does this affect you?

Add your gear to cvedb and we'll alert you only when misp-project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.