Description
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post.
Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.
Published: 2026-01-15
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privileged data exposure via stored XSS
Action: Patch Now
AI Analysis

Impact

A stored cross‑site scripting flaw in Altium Live Forum allows an authenticated user to inject arbitrary JavaScript into post content. The malicious script is stored and then executed when other users view the post. Because the script runs in the victim’s authenticated Altium 365 session, it can read sensitive workspace data including design files and settings, effectively granting the attacker unauthorized access to privileged information.

Affected Systems

Altium Live version 1.2.2. No other affected versions are listed.

Risk and Exploitability

This vulnerability carries a CVSS score of 9, indicating high severity, while the EPSS probability is very low (< 1 %) and it is not listed in the KEV catalog. The attack requires an attacker to create a post containing the exploit and a victim to view that post, so interaction from the victim is necessary for execution. Once the script runs, it can read or exfiltrate sensitive data within the user’s authenticated session.

Generated by OpenCVE AI on April 18, 2026 at 05:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Altium Live patch or upgrade to a version that includes server‑side input sanitization for forum posts
  • Configure the forum to disallow script tags and enforce strict content filtering before storing posts
  • Deploy a web application firewall rule that detects and blocks embedded JavaScript in forum content

Generated by OpenCVE AI on April 18, 2026 at 05:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Altium altium Live
CPEs cpe:2.3:a:altium:altium_live:1.2.2:*:*:*:*:*:*:*
Vendors & Products Altium altium Live

Tue, 20 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Title Stored Cross-Site Scripting in Altium 365 Forum Leading to Cross-Customer Data Exposure Stored Cross-Site Scripting in Altium Live Forum Leading to Cross-Customer Data Exposure

Mon, 19 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
Title Stored Cross-Site Scripting in Altium Forum Leading to Cross-Customer Data Exposure Stored Cross-Site Scripting in Altium 365 Forum Leading to Cross-Customer Data Exposure

Fri, 16 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Title Stored Cross-Site Scripting in Altium Enterprise Server Forum Leading to Cross-Customer Data Exposure Stored Cross-Site Scripting in Altium Forum Leading to Cross-Customer Data Exposure

Fri, 16 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
Title Stored Cross-Site Scripting in Altium Forum Leading to Cross-Customer Data Exposure Stored Cross-Site Scripting in Altium Enterprise Server Forum Leading to Cross-Customer Data Exposure

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Altium
Altium altium 365
Vendors & Products Altium
Altium altium 365

Thu, 15 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.
Title Stored Cross-Site Scripting in Altium Forum Leading to Cross-Customer Data Exposure
Weaknesses CWE-284
CWE-79
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Altium Altium 365 Altium Live
cve-icon MITRE

Status: PUBLISHED

Assigner: Altium

Published:

Updated: 2026-01-20T20:15:28.251Z

Reserved: 2026-01-15T22:08:45.185Z

Link: CVE-2026-1009

cve-icon Vulnrichment

Updated: 2026-01-16T17:17:37.928Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T23:15:51.153

Modified: 2026-01-23T19:32:23.350

Link: CVE-2026-1009

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses