← Back

CVE-2026-1008

nvd nist
Published: Jan 15, 2026Modified: Jan 23, 2026

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.3 / Impact: 2.7
Source: NVD

Description

A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile.

Affected (1)

Products: Altium: Altium Live
Altium
1 product
Altium Live
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Altium Live
Version 1.2.2

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

Source: 4760f414-e1ae-4ff1-bdad-c7a9c3538b79
Vendor Advisory

Timeline

No history available yet.