CVE-2026-39980 CRITICAL

CVE-2026-39980: OpenCTI affected by RCE via notifier template

Vendor Opencti-Platform
Product opencti
Weakness CWE-1336
Published April 9, 2026
Last update April 9, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 9, 2026 Record updated