Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:L/U:Clear
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:L/U:Clear
Lifecycle Timeline
4DescriptionCVE.org
A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim's session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch.
AnalysisAI
Stored XSS in MISP CTI Transmute's notification bell dropdown allows an attacker who can control convert names to inject arbitrary JavaScript that executes in authenticated users' browsers upon opening the notification panel. The vulnerability, tracked as EUVD-2026-32728 and reported by CIRCL, stems from innerHTML-based rendering of user-controlled notification content in base.html and affects all versions prior to upstream commit cf42409 - critically, only on the development branch, not production releases. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P reflects that exploitation requires the attacker to first influence a convert name surfaced in a notification.
Technical ContextAI
CTI Transmute (CPE: cpe:2.3:a:misp:cti-transmute:*:*:*:*:*:*:*:*) is a MISP-developed web application for converting threat intelligence between MISP and STIX formats. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS): the notification panel in website/web/templates/base.html used innerHTML to inject notification message strings - including user-controlled convert names - directly into the DOM. Because innerHTML parses its argument as HTML markup, an attacker-controlled convert name containing script tags or event handler attributes is interpreted and executed as JavaScript. The remediation in commit cf42409 replaces innerHTML assignment with explicit DOM element construction and textContent assignment, which treats the input as literal text and strips any HTML interpretation.
RemediationAI
The upstream fix is available as commit cf42409badc27b13d9bb644b9175aa7f27e11259 in the MISP CTI Transmute repository at https://github.com/MISP/cti-transmute/commit/cf42409badc27b13d9bb644b9175aa7f27e11259. This commit resolves the vulnerability by replacing innerHTML-based notification rendering with safe DOM construction and textContent assignment in base.html. A released patched version number has not been independently confirmed - only the upstream commit is available. Teams tracking the CTI Transmute development branch should pull the latest commit incorporating cf42409 or cherry-pick it directly. Organizations running production/tagged releases of CTI Transmute are not affected and no action is required per the CVE scope statement. For any development-branch deployments where immediate patching is not feasible, restricting network access to the CTI Transmute instance to trusted internal users limits the attacker's ability to submit malicious convert names, though this trades off accessibility for external collaborators.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32728
GHSA-w9rm-vvqp-qq3h