← volver
CVE-2026-1010

Stored Cross-Site Scripting in Altium Enterprise Server Workflow Engine Allows Privilege Escalation

CVSS 8 HIGHEPSS 0.3%CWE-269CWE-79
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 8EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
15 ene 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Productos afectados
Altium · Altium Enterprise Server

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://www.altium.com/platform/security-compliance/security-advisories