CVE-2026-39980

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5	Product Release Notes
https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*

History

22 Apr 2026, 00:27

Type	Values Removed	Values Added
CPE		cpe:2.3:a:citeum:opencti::::::::
First Time		Citeum Citeum opencti
References	~~() https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5 -~~	() https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5 - Product, Release Notes
References	~~() https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf -~~	() https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf - Vendor Advisory

09 Apr 2026, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-09 18:17

Updated : 2026-04-22 00:27

NVD link : CVE-2026-39980

Mitre link : CVE-2026-39980

CVE.ORG link : CVE-2026-39980

JSON object : View

Products Affected

citeum

opencti

CWE

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

{"id": "CVE-2026-39980", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2026-04-09T18:17:02.203", "references": [{"url": "https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1336"}]}], "descriptions": [{"lang": "en", "value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5."}], "lastModified": "2026-04-22T00:27:12.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62B2280A-9179-4CDB-A6B4-EB11173EF85C", "versionEndExcluding": "6.9.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}