← Back

Altium

altium

8 CVEs • 3 products

Products (3)

Click to collapse
Toggle
On Prem Enterprise Server
on-prem_enterprise_server
4 CVEs
Altium Live
altium_live
3 CVEs
Designer
designer
1 CVE

CVEs (8)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2025-27380
1Altium
1On Prem Enterprise Server
Feb 26, 2026
Jan 22, 2026
N/A· v4
7.6 HIGH· v3
N/A· v2
HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content.
CVE-2025-27379
1Altium
1On Prem Enterprise Server
Feb 26, 2026
Jan 22, 2026
N/A· v4
4.6 MEDIUM· v3
N/A· v2
A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when th...Show more
A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content.Show less
CVE-2025-27378
1Altium
1On Prem Enterprise Server
Feb 26, 2026
Jan 22, 2026
N/A· v4
9.8 CRITICAL· v3
N/A· v2
AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled,...Show more
AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.Show less
CVE-2025-27377
1Altium
1Designer
Feb 26, 2026
Jan 22, 2026
N/A· v4
5.3 MEDIUM· v3
N/A· v2
Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipul...Show more
Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensitive design data.Show less
CVE-2026-1011
1Altium
1Altium Live
Jan 23, 2026
Jan 16, 2026
N/A· v4
6.1 MEDIUM· v3
N/A· v2
A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend ac...Show more
A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests. The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim’s browser context.Show less
CVE-2026-1010
1Altium
1On Prem Enterprise Server
Jan 23, 2026
Jan 15, 2026
N/A· v4
5.4 MEDIUM· v3
N/A· v2
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary Jav...Show more
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.Show less
CVE-2026-1009
1Altium
1Altium Live
Jan 23, 2026
Jan 15, 2026
N/A· v4
5.4 MEDIUM· v3
N/A· v2
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts...Show more
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.Show less
CVE-2026-1008
1Altium
1Altium Live
Jan 23, 2026
Jan 15, 2026
N/A· v4
5.4 MEDIUM· v3
N/A· v2
A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript paylo...Show more
A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile.Show less