Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-39980 -- CVSS 9.1 Vulnerability Briefing

CVE-2026-39980 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-39980 is a server-side template injection vulnerability in OpenCTI, an open source cyber threat intelligence management platform, specifically within the safeEjs.ts file which fails to properly sanitize user-supplied EJS (Embedded JavaScript) template input.

Technical Detail

The flaw exists because safeEjs.ts does not adequately sanitize EJS template expressions before rendering, allowing an attacker with sufficient platform privileges (specifically the "Manage" role or equivalent) to inject arbitrary template directives. Successful exploitation could allow the attacker to execute arbitrary JavaScript server-side, potentially leading to remote code execution (RCE) on the underlying host. The vulnerability is present in all OpenCTI versions prior to 6.9.5, and the attack surface is limited to authenticated users who hold elevated platform roles, reducing but not eliminating risk in multi-tenant or shared deployments.

Exploitation Status

No known exploit code has been publicly identified or confirmed at this time. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Exploit maturity is currently assessed as none, meaning no public proof-of-concept or operational exploit has been observed. This status should be monitored, as template injection vulnerabilities in widely deployed intelligence platforms can attract rapid weaponization once details are public.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability. Given that OpenCTI is predominantly used by security operations teams, threat intelligence analysts, and government or critical infrastructure organizations, any future exploitation would likely be of interest to actors seeking to compromise threat intelligence workflows or pivot within security-focused environments.

What To Do

Upgrade OpenCTI to version 6.9.5 or later immediately, as this is the confirmed patched release. Organizations unable to patch immediately should audit and restrict which user accounts hold the "Manage" role, applying the principle of least privilege to reduce the pool of accounts capable of triggering this vulnerability. Monitor application logs for anomalous EJS template rendering activity or unexpected server-side process execution originating from the OpenCTI application process. Given the CVSS score of 9.1 and the RCE potential, this should be treated as a high-priority patch even in the absence of confirmed active exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →