CVE-2026-9806 misp CVE debrief

Who should care

Organizations running CTI Transmute development branch builds; security teams reviewing application notification implementations; developers maintaining JavaScript frontend components handling user-controlled data.

Technical summary

CTI Transmute versions prior to the patched release contained a stored XSS vulnerability in the notification bell dropdown. Notification messages incorporating user-controlled convert names were rendered using innerHTML without adequate sanitization, permitting arbitrary JavaScript injection. When an authenticated user opened the notification panel, the injected script would execute in their browser context, potentially enabling session hijacking or unauthorized actions. The vulnerability existed only on a development branch. The fix replaced innerHTML assignment with DOM element construction and textContent assignment, eliminating the injection vector.

Defensive priority

medium

Recommended defensive actions

• Review notification panel implementations for unsafe innerHTML usage with user-controlled data
• Audit development branch deployments for exposure of unmerged features
• Implement Content Security Policy (CSP) headers as defense-in-depth for XSS mitigation
• Verify that notification message rendering uses textContent or equivalent safe DOM methods
• Conduct code review of similar UI components that may process user-controlled strings

Evidence notes

CVE published 2026-05-28. Remediation commit available via GitHub. CVSS 4.0 vector indicates network attack vector with low attack complexity, partial attacker privileges required, and low confidentiality impact to the vulnerable component.

Official resources