Daffyspider

**Name of the Vulnerable Software and Affected Versions** OpenCTI versions prior to 6.9.1 **Description** OpenCTI is a platform for managing cyber threat intelligence knowledge and observables. A flaw exists in the 'IndividualDeletionDeleteMutation' GraphQL mutation, allowing the deletion of unrelated and sensitive objects, such as analysis reports. This is due to a lack of validation within the API, failing to confirm contextual relationships between the targeted object and the executed mutation. **Recommendations** Update to version 6.9.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenCTI versions prior to 6.8.16 **Description** OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. The platform’s data ingestion feature accepts user-supplied URLs without validation and utilizes the Axios HTTP client with its default configuration (`allowAbsoluteUrls: true`). This allows attackers to construct requests to arbitrary endpoints, including internal services, as Axios accepts and processes absolute URLs. This results in a semi-blind Server-Side Request Forgery (SSRF), where responses may not be fully visible but can still impact internal systems. The API endpoint involved in this issue is the data ingestion feature, which accepts URLs via the `URL` parameter. **Recommendations** Versions prior to 6.8.16 should be updated to version 6.8.16 or later.