Description
A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim's session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch.
Published: 2026-05-28
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability allows an attacker to inject arbitrary JavaScript into notification messages that reference user‑controlled convert names. The injected code is rendered via innerHTML in the notification bell dropdown and executes in the browser of any authenticated user who opens the panel. Successful exploitation could enable the attacker to perform actions within the victim’s session or read client‑side application data, directly affecting confidentiality and integrity of the user’s workspace.

Affected Systems

CTI Transmute, a component of the MISP platform. The vulnerability exists in all builds before the patched release and was only present on a development branch.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. No EPSS score is published and the vulnerability is not listed in CISA KEV. The attack requires an authenticated web session accessing the notification panel and likely occurs on the development branch, so internal or compromised user credentials are prerequisites. Because the flaw is client‑side, it can be exploited by attackers who can influence convert names associated with notifications.

Generated by OpenCVE AI on May 28, 2026 at 08:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CTI Transmute to the patched release that constructs notification elements with DOM methods and uses textContent instead of innerHTML.
  • If an immediate upgrade is not possible, inhibit or remove convert names that trigger notifications, or apply server‑side sanitization to convert name values before they are stored.
  • Restrict access to the development branch or deploy only the production branch to production environments to eliminate the vulnerable code path.

Generated by OpenCVE AI on May 28, 2026 at 08:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp cti-transmute
Vendors & Products Misp
Misp cti-transmute

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim's session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch.
Title Stored Cross-Site Scripting (XSS) in CTI Transmute Notification Panel via Malicious Convert Names
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/RE:L/U:Clear'}

Subscriptions

Misp Cti-transmute
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-05-28T12:14:47.532Z

Reserved: 2026-05-28T06:34:56.347Z

Link: CVE-2026-9806

cve-icon Vulnrichment

Updated: 2026-05-28T12:14:42.938Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T08:16:38.000

Modified: 2026-05-29T14:46:09.837

Link: CVE-2026-9806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:49:37Z

Weaknesses