CVE-2026-53693 is a stored cross-site scripting vulnerability in MISP bsimvis (up to version 0.2.0). The issue is due to several client-side rendering paths that interpolate unescaped user-controllable data (tags, collections, entity IDs, clusters, metadata) directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS style values. The lack of context-appropriate escaping allows an attacker able to create or influence stored tag or metadata values to inject crafted payloads. When other users view affected BSimVis pages, the injected JavaScript executes in their browsers, potentially enabling actions such as session hijacking, data theft, or UI manipulation. The patch involves adding shared escaping helpers for HTML, attributes, JavaScript strings, and CSS color validation, applied across various UI components including tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamic tag cards.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of other users' browsers when they view affected BSimVis pages. This can lead to unauthorized actions performed on behalf of the victim, exposure of sensitive data accessible to the victim, or alteration of the displayed application content. The vulnerability affects confidentiality, integrity, and user trust in the application interface.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has described a patch that adds shared escaping helpers and applies them across affected UI components, but no official fix or patch link is provided in the available data. Users should monitor the vendor's advisories for an official fix. Until then, restrict permissions to create or modify tags and metadata to trusted users only to reduce risk.