Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/pycti@6.8.6

Type pypi

Namespace

Name pycti

Version 6.8.6

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 6.9.13

Latest_non_vulnerable_version 6.9.13

Affected_by_vulnerabilities

url VCID-8vjm-472q-tbh4

vulnerability_id VCID-8vjm-472q-tbh4

summary OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutation can be misused to delete unrelated and sensitive objects such as analyses reports etc. This behavior stems from the lack of validation in the API to ensure that the targeted object is contextually related to the mutation being executed. Version 6.9.1 fixes the issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-21886

reference_id

reference_type

scores

value	0.00164
scoring_system	epss
scoring_elements	0.37073
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-21886

reference_url

https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-mhmx-j75v-2m6x

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T16:09:27Z/

url

https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-mhmx-j75v-2m6x

fixed_packages

url pkg:pypi/pycti@6.9.1

purl pkg:pypi/pycti@6.9.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-pdyx-j197-6faj

vulnerability	VCID-sa46-3cys-4ue3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycti@6.9.1

aliases CVE-2026-21886, GHSA-mhmx-j75v-2m6x, PYSEC-2026-117

risk_score 3.6

exploitability 0.5

weighted_severity 7.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8vjm-472q-tbh4

url VCID-gwy3-beaz-cqg8

vulnerability_id VCID-gwy3-beaz-cqg8

summary OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-21887

reference_id

reference_type

scores

value	0.00044
scoring_system	epss
scoring_elements	0.14048
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-21887

reference_url

https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T17:51:53Z/

url

https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5

fixed_packages

url pkg:pypi/pycti@6.8.16

purl pkg:pypi/pycti@6.8.16

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8vjm-472q-tbh4

vulnerability	VCID-pdyx-j197-6faj

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycti@6.8.16

aliases CVE-2026-21887, GHSA-ffm6-vvph-g5f5, PYSEC-2026-118

risk_score 3.5

exploitability 0.5

weighted_severity 6.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gwy3-beaz-cqg8

url VCID-pdyx-j197-6faj

vulnerability_id VCID-pdyx-j197-6faj

summary OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL on userEdit relationAdd. This vulnerability is fixed in 6.9.7.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44730

reference_id

reference_type

scores

value	0.00038
scoring_system	epss
scoring_elements	0.11739
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44730

reference_url

https://github.com/OpenCTI-Platform/opencti

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/OpenCTI-Platform/opencti

reference_url

https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-q537-qhj4-wcjx

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-28T14:02:23Z/

url

https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-q537-qhj4-wcjx

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/pycti/PYSEC-2026-167.yaml

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/pycti/PYSEC-2026-167.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44730

reference_id

CVE-2026-44730

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44730

reference_url

https://github.com/advisories/GHSA-q537-qhj4-wcjx

reference_id

GHSA-q537-qhj4-wcjx

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-q537-qhj4-wcjx

fixed_packages

url pkg:pypi/pycti@6.9.7

purl pkg:pypi/pycti@6.9.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-sa46-3cys-4ue3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycti@6.9.7

aliases CVE-2026-44730, GHSA-q537-qhj4-wcjx, PYSEC-2026-167

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pdyx-j197-6faj

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pycti@6.8.6

Package Instance