CVE-2026-9806 MEDIUM

CVE-2026-9806: Stored Cross-Site Scripting (XSS) in CTI Transmute Notification Panel via Malicious Convert Names

Weakness CWE-79 · XSS
Published May 28, 2026
Last update May 28, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/RE:L/U:Clear

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim's session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-8627 Ultimate TinyMCE <= 5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-1891 Stored Cross Site Scripting CVE-2025-10546 Cross-Site Scripting (XSS) Vulnerability in PPC XPON ONT Wi-Fi Router CVE-2025-58966 WordPress NEX-Forms LITE plugin < 8.2 - Cross Site Scripting (XSS) vulnerability CVE-2024-6283 DethemeKit For Elementor <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via URL Parameter of the De Gallery Widget