CVE-2026-35212: OpenCTI Email Observable XSS Vulnerability (CVSS 6.1)
OpenCTI, an open-source threat intelligence platform, contains a cross-site scripting (XSS) vulnerability in how it renders email message data. An attacker can craft a malicious email observable with unsanitized content in the message body, which executes JavaScript in a victim's browser when they view it. Because threat intelligence is often shared across teams via STIX files or automated ingesters, this could be weaponized to steal session cookies at scale, potentially compromising multiple analysts' accounts. The vulnerability requires user interaction—someone must view the crafted email observable—but the attack surface is broad given how threat intelligence is typically distributed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Versions prior to 7.260227.0 are vulnerable to XSS in the rendering of email-message observable body data. The content of the body field isn't appropriately sanitized when being rendered. Does require user interaction but could be exploited by someone sharing stix or any of the ingester. This could lead to CSRF and then large scale session theft. Version 7.260227.0 contains a fix.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in OpenCTI's rendering layer for email-message observables. The body field of email messages is not properly HTML-escaped or sanitized before being inserted into the DOM, allowing arbitrary JavaScript execution within the security context of the OpenCTI web application. This is a stored or reflected XSS depending on how the malicious observable is delivered. Because OpenCTI allows sharing of STIX objects and automated ingestion from external feeds, a threat actor can inject a crafted email observable that will execute when any user views it. The attack vector is network-accessible, requires no authentication to craft and distribute (particularly via STIX file sharing), but does require user interaction to trigger. The cross-site nature of the vulnerability means an attacker can steal session tokens, perform unauthorized actions as the victim user, or redirect to phishing pages.
Business impact
For organizations using OpenCTI as a centralized intelligence repository, this vulnerability creates a bridgehead for lateral privilege escalation and account takeover. A single malicious email observable shared across the threat intelligence team could compromise multiple analyst accounts simultaneously. Compromised sessions could allow an attacker to exfiltrate sensitive intelligence, modify threat data to sow disinformation, or establish persistence within the intelligence workflow. In mature threat intelligence operations where OpenCTI is integrated with automation and response workflows, a compromised admin account could affect downstream security tools and incident response processes.
Affected systems
OpenCTI versions prior to 7.260227.0 are vulnerable. Organizations should inventory all OpenCTI deployments regardless of whether they are publicly exposed, as the vulnerability can be exploited by any user with access to the platform or anyone who can introduce a malicious STIX file into the ingestion pipeline. This includes on-premises and cloud deployments, and extends to any environment where OpenCTI consumes threat feeds from external sources.
Exploitability
Exploitability is moderate but realistic. The vulnerability requires crafting a STIX object with a malicious email observable and delivering it to users—either by sharing a file, publishing to a feed that OpenCTI ingests, or direct upload if the attacker has basic platform access. No sophisticated exploitation is needed; simple HTML and JavaScript suffice. The user interaction requirement (viewing the email observable) limits the attack to targeted scenarios, but in active threat intelligence teams where analysts routinely review shared observables, the barrier is low. The CVSS 6.1 MEDIUM rating reflects the network vector, low attack complexity, and requirement for user interaction balanced against limited confidentiality and integrity impact (no availability loss).
Remediation
Upgrade OpenCTI to version 7.260227.0 or later. This version contains input sanitization and output encoding fixes for email observable body rendering. After patching, conduct a retrospective review of ingested email observables to identify whether any malicious content was introduced during the window of vulnerability. If your OpenCTI instance is fed by automated ingesters or shared STIX feeds, validate the integrity of those sources.
Patch guidance
Version 7.260227.0 is the fixed release. Consult the official OpenCTI release notes and the Citeum advisory for specific upgrade steps, as the process depends on your deployment method (Docker, bare metal, Kubernetes). Test the upgrade in a non-production environment first to ensure compatibility with your existing observables and custom integrations. If you are running an older major version (e.g., 7.x), verify that 7.260227.0 is a valid upgrade path and that you do not need to stage intermediate versions. For organizations with high-volume ingestion pipelines, schedule the upgrade during a maintenance window to avoid observer disruption.
Detection guidance
Monitor OpenCTI logs for unusual ingestion patterns, particularly email observables with suspicious body content containing script tags, event handlers, or encoded payloads. Review access logs for users who accessed email observables around the time suspicious ingesters were active. If your OpenCTI deployment integrates with a SIEM, correlate web application logs for XSS payloads or unusual JavaScript execution. Post-upgrade, run a data sanitization audit on stored observables to identify any that may have contained malicious content. Implement network-level monitoring of STIX feed sources to detect if any feeds are publishing suspect observables.
Why prioritize this
While the CVSS score is MEDIUM, the context of OpenCTI as a centralized intelligence hub elevates risk. A single compromised analyst account can cascade into loss of confidence in threat data and compromise of downstream incident response. The vulnerability is trivial to exploit once a user is identified, making it an attractive vector for supply-chain attacks via poisoned threat feeds. Patches are available and straightforward to deploy, making this a high-priority tactical fix despite moderate severity metrics.
Risk score, explained
The CVSS 6.1 score reflects a network-accessible vulnerability (AV:N) with low attack complexity (AC:L) requiring no privileges (PR:N), but offset by user interaction (UI:R) and a changed security scope (S:C). The impact is limited to confidentiality and integrity of the user's session and the data they can access; there is no availability impact (A:N). The cross-site scope modifier elevates the score because a compromised user can access resources beyond their own session. In the context of a centralized threat intelligence platform, this should be treated as HIGH priority despite the MEDIUM label, because the integrity of intelligence data is a business-critical function.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. An attacker must craft a malicious email observable and ensure a user views it within OpenCTI. However, in environments where threat analysts routinely ingest and review shared STIX objects or subscribe to threat feeds, the user interaction bar is low and occurs during normal workflow.
Does this affect only externally facing OpenCTI deployments?
No. Any OpenCTI instance is at risk if it ingests STIX files or observables from external sources, or if multiple internal users share observables. Even internal-only deployments are vulnerable if a user is tricked into viewing a malicious observable or if an automated ingester pulls a poisoned feed.
What is the primary risk—session theft or data modification?
Both are possible. An attacker stealing a session token can then perform any action the victim could perform: read sensitive intelligence, modify observables, or delete data. In mature environments, this could also compromise downstream automation that relies on OpenCTI data.
Is there a workaround if we cannot upgrade immediately?
Partial mitigations include restricting email observable ingestion from untrusted sources, disabling automated STIX feed imports temporarily, and educating users not to open email observables from unknown sources. However, these do not eliminate the risk. Patching is the only complete fix.
This analysis is based on publicly disclosed information as of June 2026. Exploit details, vendor advisories, and patch availability may change. Verify all version numbers and upgrade procedures against official Citeum/OpenCTI documentation and your deployment configuration. This analysis is for defensive security planning only and should not be used to develop or test exploitation techniques. Consult your vendor and conduct your own testing in isolated environments before deploying patches to production. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1