CVE-2026-35212
MEDIUMOpenCTI has XSS in the rendering of email-message observable body data
Title source: cnaDescription
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Versions prior to 7.260227.0 are vulnerable to XSS in the rendering of email-message observable body data. The content of the body field isn't appropriately sanitized when being rendered. Does require user interaction but could be exploited by someone sharing stix or any of the ingester. This could lead to CSRF and then large scale session theft. Version 7.260227.0 contains a fix.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-rg6r-x26x-63vq
Scores
CVSS v3
6.1
EPSS
0.0015
EPSS Percentile
4.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
citeum/opencti
< 7.260227.0
OpenCTI-Platform/opencti
< 7.260227.0
Published
Jun 02, 2026
Tracked Since
Jun 03, 2026