EUVD-2026-34035Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Versions prior to 7.260227.0 are vulnerable to XSS in the rendering of email-message observable body data. The content of the body field isn't appropriately sanitized when being rendered. Does require user interaction but could be exploited by someone sharing stix or any of the ingester. This could lead to CSRF and then large scale session theft. Version 7.260227.0 contains a fix.
AnalysisAI
Stored cross-site scripting in OpenCTI's email-message observable rendering allows an unauthenticated attacker to inject malicious script payloads via STIX data sharing or platform ingesters, which then execute in the browsers of authenticated users who view the affected observable. Versions prior to 7.260227.0 are affected; the body field of email-message observables is passed to the renderer without sanitization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two distinct conditions: first, the attacker must be able to introduce STIX data containing a malicious email-message observable body into the platform, achievable via an external STIX sharing partnership, a configured ingester, or any feed the platform trusts - no platform authentication is required for this step (CVSS PR:N confirmed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (Medium) reflects a nuanced picture: while the attack vector is network-accessible and requires no authentication to inject (PR:N), actual exploit impact is scoped to subsequent system effects (SC:L/SI:L) and requires user interaction (UI:P), preventing fully automated exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to an external STIX sharing feed or ingester integration submits a crafted email-message STIX object containing a JavaScript payload in the body field - no platform account is required. When an authenticated OpenCTI analyst navigates to view the observable, the unsanitized body renders the script in their browser session, which then silently issues CSRF requests to exfiltrate session tokens or perform privileged actions on behalf of the victim. … |
| Remediation | Upgrade to OpenCTI version 7.260227.0, which contains the vendor-released fix per the GitHub security advisory GHSA-rg6r-x26x-63vq (https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-rg6r-x26x-63vq). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today