This release introduces a foundational beta UI/UX mode (which will be the foundation for the next versions, feedback is more than welcome), new workflow modules, improvements to the Event Index, and important security updates.

The MISP Core team is incredibly happy with the contribution of this significant UX/UI rework from Chris Horsley of Cosive, marking a positive step towards further collaboration on improving the user experience of MISP.

✨ New Features

• Beta UI/UX Mode: An opt-in beta UI / UX mode () is now available via user settings, featuring a redesigned Event Index and top navigation bar.
  • Redesigned Event Index: Includes responsive design, reorganized columns, distribution widgets, humanized timestamps, and consolidated action icons into a dropdown menu.
  • Navigation Changes: Main navigation is reorganized for better clustering and utilizes fly-out menus.
• Faster Organization Logo Loading: The Event Index now uses a new dedicated endpoint for loading organization logos, utilizing cached images instead of base64 decoding live, resulting in much faster rendering.
• Action Modules for Workflow: New Action modules are available to add tags based on MMDB and vulnerability information from vulnerability-lookup.org, enhancing automated data enrichment workflows.

Changes and Improvements

• Warninglists: Updated to the latest version which includes many new warning-lists.
• Bookmarks: The url field has been changed to text to support long URLs (Fixes #10564).
• RegExp View Migration: The Regular Expression views have been migrated to the factory pattern.
• Upgrade Script Optimization: MISP updates and database update commands have been removed from the standard upgrade script as they now run automatically.
• Vulnerability Lookup Update: Switched the external reference for vulnerability lookups from cvepremium.circl.lu to vulnerability.circl.lu.

Fixes

• Sharing Groups: Fixed an issue where sharing groups edit could become inoperable under certain conditions.
• REST Search: Added org_id and orgc_id filters to restsearch.
• On-Demand Correlation: Fixed an issue where long value2 values were breaking event loading during on-demand correlation.
• Correlation: Fix for ipv4-mapped ipv6 address handling to ensure correct correlation logic.
• Dashboard: Fixed an issue with the add function in the dashboard.
• OpenAPI: Aligned the sharing group blueprint to correctly add the sharing_group_id definition.
• General: Minor fixes for variable handling, regexp generator issues, and notice errors.

🛡️ Security Fixes

This release includes important fixes for several vulnerabilities:

• GCVE-1-2025-0040, GCVE-1-2025-0039, GCVE-1-2025-0038: This update provides fixes for additional regression on different security security fixes and source code review.
• Resolved further XSS vectors discovered during regression testing of sharing group edit functionality.
• Fixed a possible XSS vulnerability via a malicious external_baseurl.

This release introduces a foundational beta UI/UX mode (which will be the foundation for the next versions, feedback is more than welcome), new workflow modules, improvements to the Event Index, and important security updates.

The MISP Core team is incredibly happy with the contribution of this significant UX/UI rework from Chris Horsley of Cosive, marking a positive step towards further collaboration on improving the user experience of MISP.

✨ New Features

• Beta UI/UX Mode: An opt-in beta UI / UX mode () is now available via user settings, featuring a redesigned Event Index and top navigation bar.
  • Redesigned Event Index: Includes responsive design, reorganized columns, distribution widgets, humanized timestamps, and consolidated action icons into a dropdown menu.
  • Navigation Changes: Main navigation is reorganized for better clustering and utilizes fly-out menus.
• Faster Organization Logo Loading: The Event Index now uses a new dedicated endpoint for loading organization logos, utilizing cached images instead of base64 decoding live, resulting in much faster rendering.
• Action Modules for Workflow: New Action modules are available to add tags based on MMDB and vulnerability information from vulnerability-lookup.org, enhancing automated data enrichment workflows.

Changes and Improvements

• Warninglists: Updated to the latest version which includes many new warning-lists.
• Bookmarks: The url field has been changed to text to support long URLs (Fixes #10564).
• RegExp View Migration: The Regular Expression views have been migrated to the factory pattern.
• Upgrade Script Optimization: MISP updates and database update commands have been removed from the standard upgrade script as they now run automatically.
• Vulnerability Lookup Update: Switched the external reference for vulnerability lookups from cvepremium.circl.lu to vulnerability.circl.lu.

Fixes

• Sharing Groups: Fixed an issue where sharing groups edit could become inoperable under certain conditions.
• REST Search: Added org_id and orgc_id filters to restsearch.
• On-Demand Correlation: Fixed an issue where long value2 values were breaking event loading during on-demand correlation.
• Correlation: Fix for ipv4-mapped ipv6 address handling to ensure correct correlation logic.
• Dashboard: Fixed an issue with the add function in the dashboard.
• OpenAPI: Aligned the sharing group blueprint to correctly add the sharing_group_id definition.
• General: Minor fixes for variable handling, regexp generator issues, and notice errors.

🛡️ Security Fixes

This release includes important fixes for several vulnerabilities:

• GCVE-1-2025-0040, GCVE-1-2025-0039, GCVE-1-2025-0038: This update provides fixes for additional regression on different security security fixes and source code review.
• Resolved further XSS vectors discovered during regression testing of sharing group edit functionality.
• Fixed a possible XSS vulnerability via a malicious external_baseurl.

MISP v2.5.28 Release Notes (2025-12-10)

Changes

• Dashboard Update: Migrated the dashboard to Gridstack 12, involving several necessary adjustments.
• Security & Sanitization: Improved URL sanitization across the platform.
• Meta Communities Review: Enhanced the review process for MISP events shared within meta communities (e.g., CSIRT.SK MISP Community is now vetted).
  • Ensures events follow best practices (e.g., using object templates).
  • Proper utilization of sharing groups.
  • Addition of contextual information.
• Tag Filtering Logic: Refined the logic for tag filtering to more tightly decide between using UNION or EXISTS queries.
  • Uses the EXISTS branch for queries with heavier attribute filters to potentially limit the dataset.
  • Uses UNION otherwise.
• Collections Data Redaction: Redacted the creator user information for non-site administrators for consistency.
• Dependencies Updates:
  • Updated CakePHP.
  • Updated misp-taxonomies to the latest version.
• OpenAPI: MISP version added to the OpenAPI specification.
• Cleanup: Removed unused view files and dead code.
• Metadata & Communities: Fixed metadata and updated communities.

Fixes

A significant number of security and functionality fixes, primarily addressing various Cross-Site Scripting (XSS) vulnerabilities and dashboard issues:

Security Fixes (XSS)

• World Map View: Fixed XSS and restored widget configuration saving in the world map view, which was initially broken by the Gridstack 12 move.
• Low Impact / High Difficulty XSS: Fixed multiple low-impact XSS issues.
• Sharing Group Edit: Fixed XSS via external_baseurl in sharing group edit (requires compromised site admin).
• Reflected XSS: Fixed reflected XSS in preview index (requires site admin and user interaction).
• Workflow Execution Path: Fixed XSS in the workflow execution path.
• Actions Table Element: Fixed XSS via the actions table element.
• HTTP Method Validation: Tightened validation of HTTP method types.

Functionality & Data Fixes

• Enrichment: Ensured graceful passing to the next enrichment module if a previous one returns nothing (prevents exceptions).
• JS Alignment: Aligned JS function parameters with calls.
• Map Widget: Fixed behaviour for correct resizing.
• Dashboard: Fixed the functionality for adding a new widget.
• Proposal Sync: Correctly captures the proposal's organization context (orgc) when PUSHing proposals.
• Events Index Filtering: Ensured that filtering using searchall ignores deleted attributes.
• Galaxy Cluster Validation: Added default value for collection_uuid and added UUID uniqueness validation.
• Analyst Data: Added missing validation rules.
• OpenAPI Doc: Fixed documentation for Galaxy import.

Other

• Includes various branch merges and minor updates.
• Added installation guide for OpenBSD 7.8.
• Updated defaults.json with a new entry for the Slovak CSIRT.SK MISP Community.

This release delivers important new modules, major internal performance optimisations, updates to validation logic, and several security fixes. A large amount of work focused on improving JSON handling, filter pipelines, encoding performance, and overall system robustness.

🚀 New Features

Schema & Modules

• JSON schema updated to match the latest 2.5 features.
• New workflow module: flowintel-create-case added. flowintel
• Attribute fetcher pipeline created and reorganised.
  • Includes early attempts at improving query optimisation.

Changes

Internal Improvements

• Reworked internal JSON handling:
  • Use JsonTool for template generation.
  • Prefer SimdJsonBase64Encode when simdjson_php is available.
  • Use json_encode native unicode escaping.
  • Use simdjson_encode_to_stream for events and large arrays.
  • Use simdjson_encode when the extension is installed.
• Optimised handling of compressed requests, including zstd support.
• Use data file for postsemail background job.

Platform & Pipelines

• Warning-list updated to the latest version.
• Webhook workflow module: stronger parameter validation.
• Index tuning continues.
  • Working to resolve a major performance bottleneck.
• Filter pipeline: several iterations and reworks.

CI / Infrastructure

• CI added for feature branch workflows.

Fixes

Versioning

• Fixed version string and applied version bump.

Internal

• Prevent decoding compressed content twice in error controller.

UI / UX

• Updated handling of last_login to use the latest value after _postlogin->updateLoginTimes (fixes #10487).

Security Fixes

• Path traversal fixed in site-admin picture view.
  • Reported during Hack the Government 2025 (Belgium).
• Reflected XSS issues fixed in two forms.
  • Reported by an external security researcher.

Other Fixes

• Redirect fix for /users/index for all non-siteadmins (fix #10543).
• MAC address validation tightened.
• Telfhash validated as hex-only.
• Multiple fixes to tag filter logic and join conditions.

Summary

This release focuses heavily on internal performance enhancements, validation improvements, new workflow capabilities, and critical security patches. The team continues to push forward on improving scalability, pipeline reliability, and robustness of the 2.5 branch.

MISP v2.5.26 Release Notes (2025-11-20)

This release brings new features focused on performance improvements, logging enhancements, and data standardisation with the introduction of the UUID attribute type. It also includes several important bug fixes and dependency updates.

New Features

• Event Linking with UUIDs: Added an option to prioritize creating event links using UUIDs instead of traditional IDs, where possible, improving consistency across distributed systems.
• Performance Optimizations: Introduced new database indices to significantly enhance overall MISP performance.
• JSON Syslog Support: A new option allows saving syslog messages in JSON format for better logging sanity and easier processing. (Fixes #10539).
• UUID Attribute Type: Added a dedicated UUID attribute type to meet requirements from standards like FlowIntel and object templates, offering a better alternative to using text fields for unique identifiers.

⚙️ Changes & Updates

• misp-stix Improvements: Updated misp-stix to feature better STIX 2 input handling. This update helps prevent issues when loading content or files that might contain an invalid STIX 2 format produced by some non-compliant TIP platforms.
• Dependency Bumps: Updated numerous dependencies, including PyMISP, requirements.txt, and the requirement for taxii client version.
• Object & Data Updates:
  • misp-object updated.
  • warning-lists updated to the latest version.
  • misp-taxonomies updated to the latest version.
  • misp-galaxy updated to the latest version.
  • misp-objects updated to the latest version.
• Frontend Cleanup: Removed reference to the non-existing vis.map file in vis.js.

🛠️ Fixes

• Security: Forced stronger cipher suites to be set as the default, enhancing security (reported by Jakub Tomaszewski of Zigrin Security).
• Attribute Validation: Added validation for Attributes of type uuid.
• Code Cleanup: Removed the use of eval from doT.js in favor of globalThis.
• UI Fix: Corrected the event ID link in the side menu.
• Object Enrichment Fixes: Several bugs in object enrichment have been fixed.

(2025-11-12)

This release introduces a security fix, significant performance improvements for REST searches, new default feeds, and several important bug fixes.

Security

• Fixed a vulnerability that could expose user passwords in workflows.

Enhancements & Features

• New Feeds: Added three new "hideNseek LAB" Threat Intelligence Feeds (JSON, CSV, and IP Blocklist).
• Accessibility: Significantly improved accessibility for screen reader users when editing server settings. Users can now use an ARIA button to switch cells to edit mode, removing the need to double-click.
• STIX: The misp-stix submodule has been updated to the latest version.

Fixes & Performance

• Performance: Implemented a major performance fix for attribute-level REST searches that use tag filters. This was achieved by moving to a unioned subquery and removing an inefficient join.
• REST Search: Fixed a bug that caused event-level REST searches to fail when searching by tag.
• UI (Galaxies): Added the missing sharing group distribution level to the "quick-relation-add" interface for galaxy clusters.
• UI (Relations): Corrected an issue with editing cluster relations and improved the confirmation text.
• UI (Picker): Restored the correct behavior for the generic UUID picker.
• Documentation: The background jobs migration guide has been updated to include the new scheduler worker.
• Fixed a typo in the benchmarks.

🧹 Other

• The Mirai tracker project has been discontinued and removed.

MISP v2.5.24 Release Notes

Release Date: 2025-11-03

This release focuses on security enhancements, bug fixes, and minor improvements to stability and functionality.

• GCVE-1-2025-0010 < MISP 2.5.24 - Arbitrary file-hash inclusion via templates in the template engine in MispAttribute allows a web user to obtain the MD5 hash of any file accessible to them via inclusion of tmp_name in templates.
• GCVE-1-2025-0011 < MISP 2.5.24 - Invalid check for uploaded file validity in EventsController can lead to arbitrary file inclusion / deletion via import modules by spoofing the tmp_name of the request.
• GCVE-1-2025-0012 < MISP 2.5.24 - Potential vulnerability in file check upload but this vulnerability is non-exploitable as the code is never executed. This vulnerability information is kept for archiving.
• GCVE-1-2025-0013 < MISP 2.5.24 - Authorization bypass / improper access control in app/Controller/SharingGroupBlueprintsController.php in MISP on web application /or API allows an authenticated low-privilege user to inject arbitrary organizations into existing sharing groups (including groups that should not be extendable), thereby granting those organizations access to shared resources and escalating access via crafted sharing-group blueprints or API requests that bypass validation.
• GCVE-1-2025-0014 < MISP 2.5.24 - Cross-site scripting in Mermaid chart rendering component in MISP event report allows a remote attacker part of a MISP community to execute arbitrary JavaScript in the victim’s browser via injection of HTML tags in raw Mermaid charts synchronized through event reports.
• GCVE-1-2025-0015 < MISP 2.5.24 - Cross-site scripting in decaying tool simulation UI/component in MISP on web application allows an attacker/org who can set an organization's display name to execute arbitrary JavaScript in other users' browsers when they view or run simulations via a crafted organization name containing a script payload that is rendered unsanitized when a specific attribute is chosen for the simulation.
• GCVE-1-2025-0016 < MISP 2.5.24 - Local file inclusion in [ImportFromUrl() URL handling component in MISP event report (with pandoc support) on server-side document import feature / web application allows an attacker who can supply a URL to read local filesystem documents and disclose sensitive information (limited to document file types) via providing file:// URLs to ImportFromUrl() that are fetched without proper scheme/host validation.

Thanks to Raphael Lob and Jeroen Pinoy from NATO Cyber Security Center for the security evaluation and report.

Fixes

Security

• jQuery UI Upgrade: Upgraded jquery-ui used by gridstack to address a security vulnerability (fixes #10531).
• Local File Inclusion: Fixed a local file inclusion vulnerability for document files via importFromUrl(), reported by Jeroes Pinoy.
• Decaying Model Tool: Implemented a speculative fix for an edge case with an unescaped OR name in the decaying model tool, reported by Jeroen Pinoy.
• Mermaid Sanitisation: Improved mermaid sanitisation, maintaining the ability to render mermaid arrows while fixing a security issue, reported by Jeroen Pinoy.
• File Validity Check: Corrected a logic error in file validity checks (non-exploitable), reported by Raphael Lob from NATO Cyber Security Center.
• Object File Uploads: Enhanced sanitisation of the tmp_file name in object file uploads, thanks to Jeroen Pinoy from NATO Cyber Security Center.
• Sharing Group Blueprint Access Control: Tightened access control for sharing group blueprints, thanks to Jeroen Pinoy from NATO Cyber Security Center.
• Uploaded File Validity: Fixed an invalid check for uploaded file validity, thanks to Raphael Lob from NATO Cyber Security Center.

Other Fixes

• Publish Process: Tentative flipping of the publish flag at the start of the publish process to avoid timing issues due to slow server responses.
• Publishing: Moved publishing to separate background processes to prevent congestions caused by unreachable servers in in-line execution.
• Users Periodic Summary: Improved handling of tag filtering and usage of defined variables.
• Galaxy Cluster Fetcher: Corrected association when fetching target clusters from relations.
• Workflow Tag After Save: Ensured correct execution start when an event is tagged (fixes #10478).
• Logs Index: Ignored search_token and empty filters in the logs index.
• Cerebrate Pull Sharing Group: Correctly re-used the extend state set on Cerebrate.
• On-Demand Correlation: Fixed integrity constraint violation when correlating an event with multiple correlating equal value2 attributes (correlations will now show up on a single attribute in these cases, as discussed in #10521).
• Logs Index: Ignored search_token and empty filters in the logs index.

⚠️ WARNING: This is a maintenance update for the MISP 2.4 series. We strongly recommend all users upgrade to the latest MISP 2.5 series for the most up-to-date features, security patches, and performance improvements.

Thanks to Raphael Lob and Jeroen Pinoy from NATO Cyber Security Center for the security evaluation and report.

Changes

• Version Bump: Updated the MISP version.
• 2.5 Upgrade Script: Added the 2.5 upgrade script directly to the install directory for easier access.
• Training Cleanup: Removed an accidental line from the MISP API/developer workshop that was inadvertently left in a previous commit.

Fixes

Security

• jQuery UI Upgrade: Upgraded jquery-ui used by gridstack to address a security vulnerability (fixes #10531), as reported by @tobmes42.
• Local File Inclusion: Fixed a local file inclusion vulnerability for document files via importFromUrl(), as reported by Jeroes Pinoy.
• Decaying Model Tool: Implemented a speculative fix for an edge case with an unescaped OR name in the decaying model tool, as reported by Jeroen Pinoy.
• Mermaid Sanitisation: Improved mermaid sanitisation, which now keeps the ability to render mermaid arrows while fixing security issues, as reported by Jeroen Pinoy.
• File Validity Check: Corrected a logic error in file validity checks (non-exploitable, but incorrect), thanks to Raphael Lob from NATO Cyber Security Center.
• Object File Uploads: Enhanced sanitisation of the tmp_file name in object file uploads, thanks to Jeroen Pinoy from NATO Cyber Security Center.
• Sharing Group Blueprint Access Control: Tightened access control for sharing group blueprints, thanks to Jeroen Pinoy from NATO Cyber Security Center.
• Uploaded File Validity: Fixed an invalid check for uploaded file validity, thanks to Raphael Lob from NATO Cyber Security Center.

Other Fixes

• Publish Process: Tentative flipping of the publish flag at the start of the publish process to avoid timing issues due to slow server responses.
• Users Periodic Summary: Improved handling of tag filtering and usage of defined variables.
• Workflow Tag After Save: Ensured correct execution start when an event is tagged (Fixes #10478).
• Logs Index: Ignored search_token and empty filters in the logs index.
• Cerebrate Pull Sharing Group: Correctly re-used the state of extend set on Cerebrate.
• Attribute Add: Adhered to provided tag locality in /attributes/add.
• Workflow Editor: Running a workflow for debugging correctly shows the expected response.
• Logs Controller: Fixed broken named parameters search in the logs controller (fixes #10424).
• Overcorrelating Values: Chunked the lookup for overcorrelating values to prevent usability issues on large events.
• Fetcher Performance: Addressed a logic bug in the analystdataparentbehavior's implementation that caused exponentially slower performance as events grew larger.

Other

• Various merges from the 2.4 and 2.4-develop branches.
• The Mirai tracker project has been discontinued.

MISP 2.5.23 Release Notes - (2025-10-15)

New

• [first publication] added to events.
• [benchmarks] slow query log endpoint now accepts additional flags.
  • Simple add /{param} to the /benchmarks/sqlMetrics endpoint's URL, with the following parameters currently implemented:
    • /explain runs EXPLAIN on the SQL query
    • /analyze runs ANALYZE on the SQL query (careful, this can be demanding, especially for unfiltered /benchmarks/sqlMetrics calls as it will iterate and execute analyze on each hit)
• [doc] Added sharing group blueprints OpenAPI documentation.
• [preRelease] function added to admin shell.
  • Currently only has two functionalities:
    • dump the current DB schema
    • dump describeTypes.json
  • Usage: /var/www/MISP/app/Console/cake Admin preRelease

Changes

• [querystring] bump.
• [version] bump.
• [doc] add sharing group blueprints viewOrgs OpenAPI documentation.
• [warning-lists] updated.
• [misp-galaxy] updated.
• [taxonomies] updated to the latest version.
• [misp-stix] Bumped latest version.
• [restsearch limits] tuned for events / objects scopes.
  • use some basic heuristics to get sane limits for the given endpoints
  • fixed DB update
• [schema] update.
• Enable Test Pull Rules without pull rules set, change wording.
• [typo reintroduced] for backwards compatibility.
• [user edit] move the unsetting of the password field earlier.
  • will help avoid screw ups later on, the change was introduced in the previous commit

Fix

• Workflow 'add tag' fails on events without existing tags.
  • When pulling events from remote servers, the workflow's 'add tag' function could fail if the incoming event JSON lacked an existing 'Tag' array. This resulted in array_merge() receiving null instead of an array, causing a fatal error during event synchronization.
  • This commit modifies WorkflowBaseModule.php to ensure that $rData['Event']['Tag'] is always treated as an array (or an empty array if null), preventing array_merge() errors and ensuring workflow jobs complete successfully for events without pre-existing tags.
• [schema] fix.
• [galaxy cluster restsearch] don't barf back all results if an elements filter yields no results.
• Revert.
• [object reverse join] fixed if no contain parameters are provided.
• [reverse join fix] for objects.
• [benchmark controller] typo fix.
• [TagCollections] correct permission check in removeTag().
• [tag index link] fixed when clicking on tagged attributes.
  • it redirected to /attributes/search/tags:{id} rather than /attributes/index/tags:{id}
• [user edit] don't load related models when retrieving the user for editing via the GUI.
  • it lead to fetching all related event meta information, which can be a memory hog
• [user edit] don't load related models when retrieving the user for editing via the GUI, fixes #10509.
  • it lead to fetching all related event meta information, which can be a memory hog
• [galaxy timestamps] fixed when they are zeroed out.
  • helps with tighter SQL modes
• [tag-collection:removeTag] Reverted permission to allow deletion.
• [sharing group blueprints] viewOrgs fixed for the API.
• [galaxy cluster restsearch] improvements, fixes #3644.
  • allow value/type searches again
  • allow for substring searches (by using %) and multiple values
  • Example:

    {
        "value": ["%Sofacy%", "%APT-29%"]
    }

• [galaxy cluster restsearch] fixes #3644.
  • correctly use the elements parameter
  • allow for substring searches
  • allow for lists of values (that are ORed) within each element parameter such as:

    "elements": {
        "foo": ["ba%", "xyz"]
    }

• [db settings] fallback for cli_only settings when db_settings are enabled, fixes #10504.
  • not ideal, but at least we'll be able to save those settings using the config file rather than not having any way to enforce them
  • Keep in mind, this solution means that the setting will have to be set across all instances in a load balanced setup

Other

• Merge branch 'develop' into 2.5.
• Merge branch '10423' into develop.
• Merge branch 'develop' of github.com:MISP/MISP into develop.
• Merge pull request #10508 from Wachizungu/add-sharing-group-blueprints-vieworgs-openapi.
  • chg: [doc] add sharing group blueprints viewOrgs OpenAPI documentation
• Merge branch '2.5' into develop.
• Merge pull request #10510 from jsoref/update-pr-template-branch-to-2.5.
  • chore: Update current release branch
• Chore: Update current release branch.
• Merge pull request #10512 from jsoref/update-issue-templates-branch-to-2.5.
  • chore: Update code of conduct link for current release
• Chore: Update code of conduct link for current release.
• Merge branch 'develop' of github.com:MISP/MISP into develop.
• Merge branch 'develop' of github.com:MISP/MISP into develop.
• Merge branch 'develop' of github.com:MISP/MISP into develop.
• Merge branch '10518' into develop.
• General spelling corrections across the codebase for various terms and phrases.
• Merge branch '10517' into develop.
• Merge branch '10516' into develop.
• Merge branch '10511' into develop.
• Merge branch '10515' into develop.
• Merge branch '10514' into develop.
• Replace deprecated apt-key.
• Merge branch '10513' into develop.
• Updated various links including STIX format, old MISP automation page, OpenAPI spec of the MISP Automation API, start page, feed data, mkdocs site, MISP/MISP issues, and installation instructions for Ubuntu and RHEL/CentOS distributions.
• Merge pull request #10431 from Frisb7/fix/removeTagPermission.
  • fix: [TagCollections] correct permission check in removeTag()
• Merge branch 'develop' of github.com:MISP/MISP into develop.
• Merge branch '10506' into develop.
• Added Debian 13 installer and minor fix to Debian 12 installer.
• Merge branch 'develop' of github.com:MISP/MISP into develop.
• Merge pull request #10505 from Wachizungu/add-sharing-group-blueprints-openapi-doc.
  • new: [doc] Added sharing group blueprints OpenAPI documentation

Authors

• iglocska
• Jeroen Pinoy
• Alexandre Dulaunoy
• Christian Studer
• Luciano Righetti
• Giacomo Guerzoni
• frisb7
• Sami Mokaddem
• Andras Iklody
• Josh Soref
• alk4lo1d

We are pleased to announce the release of MISP v2.5.22.

This release brings new features, improvements, fixes, and important updates to keep MISP stable and up to date.

🚀 New

• Forgejo Actions: Added the synchronisation workflow.

🔧 Changes

• Version bump.
• Event Report View: Better support for extended events
  • All children of the current event are visible.
  • All children of the parent of the current event are visible.
• Schema bump.
• MISP Galaxy: updated.
• Warning-lists: updated to the latest version.
• Taxonomies: updated to the latest version.
• MISP Object: updated.

🐛 Fixes

• Forgejo Actions: Updated PATH for synchronisation CI.
• Attribute search form inputs now correctly filled with values from named URL parameters.
• Event Report View: Fixed MISP element cache to prevent override by parent data.
• Indexing: Improved handling for high performance indexing in value-based event search.
  • Handles non-existent value1/value2 indices gracefully with fallback.
• REST Search: Added complex query support to value filter.
• Event: Switched Correlation and Warninglist filtering option.
• Attribute Search: UUID field now behaves as expected.
  • Allows numeric IDs for events.
  • Maintains proper behavior when using valid UUIDs.
• Check PyMISP version in submodule, AppController, and requirements.

📦 Other

• Various merges from develop and 2.5 branches.
• Forgejo pipeline for synchronisation.
• Support for creating locked events on feed pulls.
• Set correct property on new events.

🙏 Authors

This release was made possible thanks to the contributions of:

Thomas Lacroix (ThomasLcr), iglocska, Sami Mokaddem, Alexandre Dulaunoy, Jeroen Gui, Karsa Rigó, Raphaël Vinot, Sid Odgers