CVE-2026-9806: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in misp cti-transmute
A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim's session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch.
AI Analysis
Technical Summary
This vulnerability involves improper neutralization of input during web page generation (CWE-79) in the notification panel of CTI Transmute in misp. Specifically, user-controlled convert names included in notification messages were inserted into the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to influence a convert name could inject JavaScript that executes in the browser of an authenticated user viewing the notification panel. The issue was fixed by constructing notification elements through DOM methods and assigning content via textContent instead of innerHTML. The vulnerability was only present on a development branch and is not known to affect released versions.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary JavaScript in the context of an authenticated user's browser session. This could enable actions performed with the victim's privileges or access to information available to the application in the browser. However, the vulnerability was limited to a development branch and is not known to be present in production releases. There are no known exploits in the wild.
Mitigation Recommendations
The vulnerability has been remediated by changing the notification rendering code to use safe DOM methods and textContent instead of innerHTML. Since this issue was only present on a development branch, users of official releases are not affected. No additional mitigation is required for production deployments. Patch status is not explicitly stated; check the vendor advisory or development branch updates for the fixed code.
CVE-2026-9806: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in misp cti-transmute
Description
A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim's session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch.
CVSS v4.0
Score 6.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves improper neutralization of input during web page generation (CWE-79) in the notification panel of CTI Transmute in misp. Specifically, user-controlled convert names included in notification messages were inserted into the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to influence a convert name could inject JavaScript that executes in the browser of an authenticated user viewing the notification panel. The issue was fixed by constructing notification elements through DOM methods and assigning content via textContent instead of innerHTML. The vulnerability was only present on a development branch and is not known to affect released versions.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary JavaScript in the context of an authenticated user's browser session. This could enable actions performed with the victim's privileges or access to information available to the application in the browser. However, the vulnerability was limited to a development branch and is not known to be present in production releases. There are no known exploits in the wild.
Mitigation Recommendations
The vulnerability has been remediated by changing the notification rendering code to use safe DOM methods and textContent instead of innerHTML. Since this issue was only present on a development branch, users of official releases are not affected. No additional mitigation is required for production deployments. Patch status is not explicitly stated; check the vendor advisory or development branch updates for the fixed code.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CIRCL
- Date Reserved
- 2026-05-28T06:34:56.347Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a17efcfe29bf47b50bb7605
Added to database: 5/28/2026, 7:33:35 AM
Last enriched: 5/28/2026, 7:48:54 AM
Last updated: 5/29/2026, 5:54:29 PM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.