Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Versions prior to 7.260227.0 are vulnerable to XSS in the rendering of email-message observable body data. The content of the body field isn't appropriately sanitized when being rendered. Does require user interaction but could be exploited by someone sharing stix or any of the ingester. This could lead to CSRF and then large scale session theft. Version 7.260227.0 contains a fix.
Published: 2026-06-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability of Cross-Site Scripting was discovered in the OpenCTI Platform. The body of an email-message observable is rendered without sanitization, allowing an attacker to embed malicious script code. This flaw requires a user to view the observable, but the attack vector can be constructed through a shared STIX bundle or an ingester that processes email data. Exploitation may execute scripts in the victim's browser, enabling cross-site request forgery and eventually stealing their session.

Affected Systems

The OpenCTI Platform, versions prior to 7.260227.0, is affected. The maintainers released 7.260227.0 which includes the fix. The vulnerability is present in any deployment that renders the raw email body in the UI.

Risk and Exploitability

The CVSS score of 5.3 corresponds to a moderate severity. The EPSS score is not provided and the issue is not listed in the CISA KEV catalog. The attack requires the victim to interact with a crafted email observable, typically delivered via a shared STIX bundle or an ingester, so the threat surface is limited to users who have direct access to the OpenCTI web interface. However, successful exploitation permits session hijacking and can lead to credential theft for the affected account.

Generated by OpenCVE AI on June 3, 2026 at 03:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenCTI Platform to version 7.260227.0 or newer, which sanitizes the email-message body rendering and eliminates the XSS vulnerability.
  • If an immediate upgrade is not feasible, disable or remove the rendering of the email body field for untrusted content, or implement a whitelist that strips executable scripts before display.
  • Review all STIX importers and ingester configurations to ensure that raw email body data is either sanitized or omitted entirely from observable displays.

Generated by OpenCVE AI on June 3, 2026 at 03:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Opencti-platform
Opencti-platform opencti
Vendors & Products Opencti-platform
Opencti-platform opencti

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Versions prior to 7.260227.0 are vulnerable to XSS in the rendering of email-message observable body data. The content of the body field isn't appropriately sanitized when being rendered. Does require user interaction but could be exploited by someone sharing stix or any of the ingester. This could lead to CSRF and then large scale session theft. Version 7.260227.0 contains a fix.
Title OpenCTI has XSS in the rendering of email-message observable body data
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Opencti-platform Opencti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T14:23:27.028Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35212

cve-icon Vulnrichment

Updated: 2026-06-03T14:23:14.679Z

cve-icon NVD

Status : Received

Published: 2026-06-02T22:16:16.727

Modified: 2026-06-02T22:16:16.727

Link: CVE-2026-35212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:15:24Z

Weaknesses