Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5.
Published: 2026-04-09
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the safeEjs.ts file failing to sanitize EJS templates. A user with the Manage customization capability can embed arbitrary JavaScript in a notifier template, which is executed in the context of the OpenCTI platform process. This leads to remote code execution within the platform’s environment, allowing an attacker to compromise confidentiality, integrity, and availability of the system. The weakness is classified as CWE‑1336.

Affected Systems

OpenCTI Platform (opencti) versions prior to 6.9.5 are affected. The vulnerability is fixed in 6.9.5. Attackers must have Manage customization rights on the affected installation.

Risk and Exploitability

The CVSS base score is 9.1, reflecting a high severity. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. An attacker who gains Manage customization privileges can exploit the flaw by creating or modifying a notifier template, resulting in arbitrary code execution. Given the lack of an actively exploited variant in the wild, the likelihood of exploitation may be low, but the potential impact is severe, warranting immediate action.

Generated by OpenCVE AI on April 9, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply OpenCTI version 6.9.5 or later
  • Restrict Manage customization capability to trusted users until the patch is applied
  • Verify that notifier templates are safe and no unsanitized EJS is used

Generated by OpenCVE AI on April 9, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Citeum
Citeum opencti
CPEs cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*
Vendors & Products Citeum
Citeum opencti

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Opencti-platform
Opencti-platform opencti
Vendors & Products Opencti-platform
Opencti-platform opencti

Thu, 09 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5.
Title OpenCTI affected by RCE via notifier template
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Citeum Opencti
Opencti-platform Opencti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T18:44:10.616Z

Reserved: 2026-04-08T00:01:47.628Z

Link: CVE-2026-39980

cve-icon Vulnrichment

Updated: 2026-04-09T18:44:05.815Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T18:17:02.203

Modified: 2026-04-22T00:27:12.723

Link: CVE-2026-39980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:04Z

Weaknesses