Description
A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques.
The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile.
Published: 2026-01-15
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting leading to session hijacking or phishing
Action: Patch
AI Analysis

Impact

A stored cross‑site scripting vulnerability resides in the user profile text fields of Altium Live. Insufficient server‑side sanitization allows authenticated users to inject arbitrary HTML and JavaScript. When an impacted profile is viewed, the payload is executed in the victim’s browser, enabling session token theft, phishing, or malicious redirects. The weakness is a classic input validation flaw.

Affected Systems

Altium Live is the affected product, specifically version 1.2.2. The issue is present in the user profile editing functionality of Altium 365, requiring an authenticated user to supply malicious content.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity. The EPSS score is below 1 %, suggesting exploitation is unlikely but not impossible; it is not listed in the CISA KEV catalog. Exploitation demands an authenticated account and a victim who visits the altered profile, so the attack vector is limited to social‑engineering or internal user interaction. The vulnerability’s impact is confined to the user’s browser context, but it can lead to credential compromise and further lateral movement.

Generated by OpenCVE AI on April 18, 2026 at 16:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Altium Live patch that addresses the XSS flaw once released.
  • Configure a strict Content‑Security‑Policy that disallows inline scripts and limits script sources.
  • Enforce server‑side sanitization of profile text fields or restrict editing to trusted users.

Generated by OpenCVE AI on April 18, 2026 at 16:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Altium altium Live
CPEs cpe:2.3:a:altium:altium_live:1.2.2:*:*:*:*:*:*:*
Vendors & Products Altium altium Live

Mon, 19 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
Title Stored Cross-Site Scripting in Altium 365 User Profile Fields Stored Cross-Site Scripting in Altium Live User Profile Fields

Fri, 16 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Altium
Altium altium 365
Vendors & Products Altium
Altium altium 365

Thu, 15 Jan 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Thu, 15 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile.
Title Stored Cross-Site Scripting in Altium 365 User Profile Fields
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Altium Altium 365 Altium Live
cve-icon MITRE

Status: PUBLISHED

Assigner: Altium

Published:

Updated: 2026-01-19T11:42:46.627Z

Reserved: 2026-01-15T22:08:25.034Z

Link: CVE-2026-1008

cve-icon Vulnrichment

Updated: 2026-01-16T14:51:10.306Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T23:15:50.970

Modified: 2026-01-23T19:34:53.327

Link: CVE-2026-1008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses