What is the CVSS score of EUVD-2026-20972?

EUVD-2026-20972 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of OpenCTI are affected by EUVD-2026-20972?

OpenCTI versions prior to 6.9.5 contain a server-side template injection vulnerability that allows authenticated administrators with customization permissions to execute arbitrary code within the…. A patch is available.

How to fix or mitigate EUVD-2026-20972?

Within 24 hours: Identify all OpenCTI deployments and their current versions; verify no versions prior to 6.9.5 are in production use. Within 7 days: Apply vendor-released patch to upgrade to OpenCTI 6.9.5 or later across all instances; test patch in non-production environment first. Within 30 days: Audit administrator access logs for the 'Manage customization' capability; review any template modifications made by privileged accounts; implement role-based access controls to restrict customization permissions to minimum required users.

OpenCTI EUVD-2026-20972

| CVE-2026-39980 CRITICAL

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2026-04-09 GitHub_M

Ssti Information Disclosure

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 22, 2026 - 00:42 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 22, 2026 - 00:37 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 05:44 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

6.9.5

EUVD ID Assigned

Apr 09, 2026 - 17:45 euvd

EUVD-2026-20972

Analysis Generated

Apr 09, 2026 - 17:45 vuln.today

CVE Published

Apr 09, 2026 - 16:54 nvd

CRITICAL 9.1

DescriptionNVD

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution. This vulnerability is fixed in 6.9.5.

Articles & Coverage 1

yousofnahya.medium.com CVE-2026-39980: Vulnerability Analysis and Proof of Concept Apr 14, 2026

AnalysisAI

Server-Side Template Injection in OpenCTI notifier templates allows privileged administrators with 'Manage customization' capability to execute arbitrary JavaScript in the platform process context. Affecting all versions prior to 6.9.5, this vulnerability permits authenticated high-privilege users to achieve complete system compromise through unsafe EJS template rendering in safeEjs.ts. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Compromise admin account

Delivery

Access notifier settings

Exploit

Inject malicious EJS template

Execution

Platform processes template

Persist

Execute arbitrary JavaScript

Impact

Access sensitive CTI data

Access

Compromise admin account

Delivery

Access notifier settings

Exploit

Inject malicious EJS template

Execution

Platform processes template

Persist

Execute arbitrary JavaScript

Impact

Access sensitive CTI data

Vulnerability AssessmentAI

Exploitation	Requires authenticated access with High privileges (PR:H) specifically holding the 'Manage customization' capability in OpenCTI. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Despite the CVSS 9.1 Critical score, real-world risk is constrained by strict prerequisite conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker compromises an OpenCTI administrator account with 'Manage customization' privileges through phishing or credential theft. They navigate to the notification settings and create a malicious notifier template containing embedded JavaScript payloads disguised as legitimate EJS template code. …
Remediation	Upgrade immediately to OpenCTI version 6.9.5 or later, released February 2026, which includes fixes for the unsafe template sanitization in safeEjs.ts. … Detailed patch versions, workarounds, and compensating controls in full report.