Home / Vulnerability Intelligence / CVE-2026-39980

CVE-2026-39980 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 9, 2026

OpenCTI - Stored XSS

Published: April 9, 2026Updated: April 9, 2026Remote Exploitable

Overview

OpenCTI < 6.9.5 contains a stored XSS caused by improper sanitization of EJS templates in safeEjs.ts, letting users with Manage customization capability execute arbitrary JavaScript in platform context, exploit requires Manage customization capability.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 7.1%(Probability of exploitation in next 30 days)

Impact

Users with Manage customization capability can execute arbitrary JavaScript in the platform process, potentially leading to full system compromise.

Mitigation

Update to version 6.9.5 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 12, 2026

🔴 CVE-2026-39980 - Critical (9.1) OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary Jav... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39980/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-39980
Severity: Critical
CVSS Score: 9.1
Type: stored_xss
Status: new
EPSS: 7.1%
Social Posts: 1

CWE

CWE-1336

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

7.1%Probability of exploitation in the next 30 days