{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39980", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-08T00:01:47.628Z", "datePublished": "2026-04-09T16:54:31.566Z", "dateUpdated": "2026-04-09T18:44:10.616Z"}, "containers": {"cna": {"title": "OpenCTI affected by RCE via notifier template", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf"}, {"name": "https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5"}], "affected": [{"vendor": "OpenCTI-Platform", "product": "opencti", "versions": [{"version": "< 6.9.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:54:31.566Z"}, "descriptions": [{"lang": "en", "value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5."}], "source": {"advisory": "GHSA-jv9r-jw2f-rhrf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T18:43:53.562351Z", "id": "CVE-2026-39980", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T18:44:10.616Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39980", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T18:43:53.562351Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T18:44:05.815Z"}}], "cna": {"title": "OpenCTI affected by RCE via notifier template", "source": {"advisory": "GHSA-jv9r-jw2f-rhrf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OpenCTI-Platform", "product": "opencti", "versions": [{"status": "affected", "version": "< 6.9.5"}]}], "references": [{"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf", "name": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5", "name": "https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:54:31.566Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39980", "state": "PUBLISHED", "dateUpdated": "2026-04-09T18:44:10.616Z", "dateReserved": "2026-04-08T00:01:47.628Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T16:54:31.566Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*", "matchCriteriaId": "62B2280A-9179-4CDB-A6B4-EB11173EF85C", "versionEndExcluding": "6.9.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5."}], "id": "CVE-2026-39980", "lastModified": "2026-04-22T00:27:12.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-09T18:17:02.203", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "opencti", "source": "cna", "vendor": "OpenCTI-Platform"}, "product": "opencti", "vendor": "opencti-platform"}], "analysis": {"en": {"generated_at": "2026-04-09T18:22:27.625632+00:00", "value": {"mitigation_remediation": ["Apply OpenCTI version 6.9.5 or later", "Restrict Manage customization capability to trusted users until the patch is applied", "Verify that notifier templates are safe and no unsanitized EJS is used"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "OpenCTI Platform (opencti) versions prior to 6.9.5 are affected. The vulnerability is fixed in 6.9.5. Attackers must have Manage customization rights on the affected installation.", "description_and_impact": "The vulnerability arises from the safeEjs.ts file failing to sanitize EJS templates. A user with the Manage customization capability can embed arbitrary JavaScript in a notifier template, which is executed in the context of the OpenCTI platform process. This leads to remote code execution within the platform\u2019s environment, allowing an attacker to compromise confidentiality, integrity, and availability of the system. The weakness is classified as CWE\u20111336.", "risk_and_exploitability": "The CVSS base score is 9.1, reflecting a high severity. The EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. An attacker who gains Manage customization privileges can exploit the flaw by creating or modifying a notifier template, resulting in arbitrary code execution. Given the lack of an actively exploited variant in the wild, the likelihood of exploitation may be low, but the potential impact is severe, warranting immediate action."}}}}, "created": "2026-04-10T08:52:52.938511+00:00", "updated": "2026-04-10T09:32:04.655043+00:00", "vendors": ["opencti-platform", "opencti-platform$PRODUCT$opencti"]}