CVE-2026-1011

Medium CVSS: 6.1

A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests.

The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim’s browser context.

Vendor

Altium

Product

Altium Live

CWE

CWE-79

Yayın Tarihi

2026-01-16 00:16:29

Güncelleme

2026-01-23 20:26:55

Source Identifier

4760f414-e1ae-4ff1-bdad-c7a9c3538b79

KEV Date Added

Kategoriler

CWE-79 Altium Live MEDIUM Altium 2026

Referanslar

https://www.altium.com/platform/security-compliance/security-advisories

Benzer Kayıtlar

Medium

CVE-2025-27379

A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker…

High

CVE-2025-27380

HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attac…

High

CVE-2025-27378

AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic f…

Medium

CVE-2025-27377

Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capa…

Critical

CVE-2026-1009

A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitizati…

High

CVE-2026-1010

A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input…