VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 2, 2026

CVE-2026-35212

CVE-2026-35212

Description

OpenCTI versions prior to 7.260227.0 are vulnerable to XSS in email message rendering, potentially leading to CSRF and session theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenCTI versions prior to 7.260227.0 are vulnerable to XSS in email message rendering, potentially leading to CSRF and session theft.

Vulnerability

Versions of OpenCTI prior to 7.260227.0 are vulnerable to a cross-site scripting (XSS) flaw in the rendering of email-message observable body data. The content of the body field is not appropriately sanitized before being displayed [1].

Exploitation

An attacker can exploit this vulnerability by sharing crafted STIX data or using an ingester that includes malicious content in the body field of an email-message observable. This requires user interaction, such as another user viewing the crafted observable [1].

Impact

Successful exploitation could lead to Cross-Site Request Forgery (CSRF) attacks, potentially resulting in large-scale session theft for users who interact with the malicious content [1].

Mitigation

OpenCTI version 7.260227.0, released on 2026-02-27, contains a fix for this vulnerability. Users are advised to upgrade to version 7.260227.0 or later. No workarounds are mentioned in the available references [1].

References
  1. XSS in the rendering of email-message observable body data

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
4096009d43a9

[backend/worker] Release 7.260227.0

https://github.com/OpenCTI-Platform/openctiFiligran AutomationFeb 27, 2026Fixed in 7.260227.0via release-tag
commit
5 files changed · +5 5
  • client-python/pycti/__init__.py+1 1 modified
    @@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-__version__ = "7.260224.0"
+__version__ = "7.260227.0"
 
 from .api.opencti_api_client import OpenCTIApiClient
 from .api.opencti_api_connector import OpenCTIApiConnector
  • opencti-platform/opencti-front/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "opencti-front",
-  "version": "7.260224.0",
+  "version": "7.260227.0",
   "private": true,
   "workspaces": [
     "packages/*"
  • opencti-platform/opencti-graphql/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "opencti-graphql",
-  "version": "7.260224.0",
+  "version": "7.260227.0",
   "private": true,
   "scripts": {
     "check-ts": "tsc --noEmit",
  • opencti-platform/opencti-graphql/src/python/requirements.txt+1 1 modified
    @@ -1,4 +1,4 @@
-pycti==7.260224.0
+pycti==7.260227.0
 parsuricata==0.4.1
 yara-python==4.5.2
 sigmatools==0.23.1
  • opencti-worker/src/requirements.txt+1 1 modified
    @@ -1,4 +1,4 @@
-pycti==7.260224.0
+pycti==7.260227.0
 opentelemetry-api~=1.35.0
 opentelemetry-sdk~=1.35.0
 opentelemetry-exporter-prometheus==0.56b0

Vulnerability mechanics

Root cause

"The content of the email-message observable body field is not properly sanitized before rendering."

Attack vector

An attacker can exploit this vulnerability by sharing a specially crafted STIX object or by using an ingester that processes email-message observables. The vulnerability requires user interaction, where a victim views the email-message observable. This could lead to Cross-Site Request Forgery (CSRF) and potentially large-scale session theft.

Affected code

The vulnerability lies in the rendering of email-message observable body data. The exact file or function responsible for the unsanitized rendering is not specified in the provided patch details, but the fix is included in version 7.260227.0.

What the fix does

The patch updates the version number across multiple components, indicating a release that includes the fix. The specific sanitization logic that was missing or insufficient is not detailed in the provided patch information. However, the release of version 7.260227.0 addresses the vulnerability by ensuring that the email-message observable body data is properly sanitized when rendered.

Preconditions

  • inputThe attacker must provide a malicious email-message observable.
  • inputThe victim must view the malicious email-message observable.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.