CVE-2026-39980

Critical

Published: 09 April 2026

Published

09 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0012 30.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of…

the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper sanitization of EJS templates in safeEjs.ts by enforcing input validation to prevent arbitrary JavaScript execution during notifier template processing.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict the 'Manage customization' capability required for exploitation, preventing privileged users from injecting malicious templates.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation through patching to OpenCTI 6.9.5 or later, eliminating the unsanitized EJS template vulnerability.

Security SummaryAI

CVE-2026-39980 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) affecting OpenCTI, an open-source platform for managing cyber threat intelligence knowledge and observables. The issue stems from improper sanitization of EJS templates in the safeEjs.ts file in versions prior to 6.9.5, linked to CWE-1336 (Incomplete Element Semantic Validation). This flaw allows execution of unsanitized templates during notifier operations.

An attacker requires high privileges, specifically the "Manage customization" capability within OpenCTI, to exploit this remotely over the network with low complexity and no user interaction. Successful exploitation enables running arbitrary JavaScript code in the context of the OpenCTI platform process, potentially leading to complete compromise of confidentiality, integrity, and availability across the affected scope due to the changed scope (S:C).

The vulnerability is addressed in OpenCTI version 6.9.5, as detailed in the project's release notes (https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5) and security advisory (https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf). Security practitioners should upgrade to 6.9.5 or later and review access to the Manage customization capability.

Details

CWE(s): CWE-1336

Affected Products

citeum

opencti

≤ 6.9.5

MITRE ATT&CK Enterprise TechniquesAI

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

The vulnerability is due to improper sanitization of EJS templates, directly enabling template injection (T1221) for arbitrary JavaScript code execution in the server process.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5
Product, Release Notes · security-advisories@github.com
https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf
Vendor Advisory · security-advisories@github.com