Home / Vulnerability Intelligence / CVE-2026-39980

CVE-2026-39980 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 9, 2026

OpenCTI - Stored XSS

Published: April 9, 2026Updated: April 9, 2026Remote Exploitable

Overview

OpenCTI < 6.9.5 contains a stored XSS caused by improper sanitization of EJS templates in safeEjs.ts, letting users with Manage customization capability execute arbitrary JavaScript in platform context, exploit requires Manage customization capability.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Users with Manage customization capability can execute arbitrary JavaScript in the platform process, potentially leading to full system compromise.

Mitigation

Update to version 6.9.5 or later.

References

https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5
https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-39980
Severity: Critical
CVSS Score: 9.1
Type: stored_xss
Status: new

CWE

CWE-1336

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H