CVE-2026-39980
Published: 09 April 2026
Summary
CVE-2026-39980 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Citeum Opencti. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Template Injection (T1221); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper sanitization of EJS templates in safeEjs.ts by enforcing input validation to prevent arbitrary JavaScript execution during notifier template processing.
Enforces least privilege to restrict the 'Manage customization' capability required for exploitation, preventing privileged users from injecting malicious templates.
Requires timely flaw remediation through patching to OpenCTI 6.9.5 or later, eliminating the unsanitized EJS template vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is due to improper sanitization of EJS templates, directly enabling template injection (T1221) for arbitrary JavaScript code execution in the server process.
NVD Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of…
more
the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5.
Deeper analysisAI
CVE-2026-39980 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) affecting OpenCTI, an open-source platform for managing cyber threat intelligence knowledge and observables. The issue stems from improper sanitization of EJS templates in the safeEjs.ts file in versions prior to 6.9.5, linked to CWE-1336 (Incomplete Element Semantic Validation). This flaw allows execution of unsanitized templates during notifier operations.
An attacker requires high privileges, specifically the "Manage customization" capability within OpenCTI, to exploit this remotely over the network with low complexity and no user interaction. Successful exploitation enables running arbitrary JavaScript code in the context of the OpenCTI platform process, potentially leading to complete compromise of confidentiality, integrity, and availability across the affected scope due to the changed scope (S:C).
The vulnerability is addressed in OpenCTI version 6.9.5, as detailed in the project's release notes (https://github.com/OpenCTI-Platform/opencti/releases/tag/6.9.5) and security advisory (https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jv9r-jw2f-rhrf). Security practitioners should upgrade to 6.9.5 or later and review access to the Manage customization capability.
Details
- CWE(s)