MEDIUM 6.1

PYSEC-2026-115

상세

OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / pycti

최초 영향 버전: 0

No fixed version published yet for pycti (pip). Pin to a known-safe version or switch to an alternative.

참고

https://www.opencti.io/ [WEB]
https://www.vulncheck.com/advisories/opencti-cross-site-scripting [ADVISORY]
https://github.com/OpenCTI-Platform/opencti [PACKAGE]
https://www.exploit-db.com/exploits/48595 [EVIDENCE]