Cyber Resilience

CVE-2026-39980

Critical

Published: 09 April 2026

Published
09 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0052 40.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-39980 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Citeum Opencti. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Template Injection (T1221); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-39980 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) affecting OpenCTI, an open-source platform for managing cyber threat intelligence knowledge and observables. The issue stems from improper sanitization of EJS templates in the safeEjs.ts file in versions prior to 6.9.5, linked to CWE-1336 (Incomplete Element Semantic Validation). This flaw allows execution of unsanitized templates during notifier operations.

An attacker requires high privileges, specifically the "Manage customization" capability within OpenCTI, to exploit this remotely over the network with low complexity and no user interaction. Successful exploitation enables running arbitrary JavaScript code in the context of the OpenCTI platform process, potentially leading to complete compromise of confidentiality, integrity, and availability across the affected scope due to the changed scope (S:C).

The vulnerability is addressed in OpenCTI version 6.9.5, as detailed in the project's release notes (https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5) and security advisory (https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf). Security practitioners should upgrade to 6.9.5 or later and review access to the Manage customization capability.

EU & UK References

Vulnerability details

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of…

more

the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Why these techniques?

The vulnerability is due to improper sanitization of EJS templates, directly enabling template injection (T1221) for arbitrary JavaScript code execution in the server process.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21887Same product: Citeum Opencti
CVE-2026-21886Same product: Citeum Opencti
CVE-2026-27960Same product: Citeum Opencti
CVE-2026-44730Same product: Citeum Opencti
CVE-2020-37041Same product: Citeum Opencti
CVE-2025-61781Same product: Citeum Opencti
CVE-2025-12107Shared CWE-1336
CVE-2026-34172Shared CWE-1336
CVE-2025-64087Shared CWE-1336
CVE-2026-27629Shared CWE-1336

Affected Assets

citeum
opencti
≤ 6.9.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper sanitization of EJS templates in safeEjs.ts by enforcing input validation to prevent arbitrary JavaScript execution during notifier template processing.

prevent

Enforces least privilege to restrict the 'Manage customization' capability required for exploitation, preventing privileged users from injecting malicious templates.

prevent

Requires timely flaw remediation through patching to OpenCTI 6.9.5 or later, eliminating the unsanitized EJS template vulnerability.

References