A stored cross‑site scripting flaw is present in the Altium Live Support Center’s AddComment endpoint. The backend accepts and retains arbitrary HTML and JavaScript embedded in comment payloads because it does not perform server‑side sanitization, despite client‑side HTML escaping. When a support case is subsequently displayed to another user, including administrators, the unsanitized payload is rendered directly by the victim’s browser, allowing the attacker to execute arbitrary JavaScript in that user’s context. The impact is limited to the client’s browser; there is no host‑level code execution or data modification on the server, but the attacker can exfiltrate session data, inject malicious logic, or impersonate the victim within the support portal. This vulnerability is a classic example of a CWEs that involve improper output encoding (CWE‑79) and incorrect handling of content types (CWE‑116). It represents a medium severity flaw due to the requirement for the target to view the compromised case. The stored nature of the payload means that the vulnerability can be exploited repeatedly by injecting a single comment and waiting for others to view it. While the EPSS score of < 1 % indicates a low likelihood of current exploitation, the flaw remains publicly documented and is not listed in the CISA KEV catalog, so organizations using Altium Live should monitor for usage or apply the recommended mitigations.

The affected product is Altium Live, specifically the AddComment endpoint within the Altium Live Support Center. The advisory does not specify a particular version number, implying that any deployment of Altium Live that exposes this endpoint without server‑side sanitization is vulnerable. Administrators and support staff who view support cases will be impacted when malicious content is stored, regardless of the specific release version.

An attacker can exploit this flaw by crafting a malicious POST request to the AddComment endpoint, inserting arbitrary script tags or event handlers into the comment content. The likely attack vector is web‑based: the attacker does not need privileged credentials beyond the ability to post a comment, and the injected code executes in the browser context of any user who later opens the affected support case. The CVSS base score of 6.1 reflects the medium impact, and the EPSS score of < 1 % suggests that real‑world exploitation is currently low, although the vulnerability is publicly known. The flaw is not associated with the KEV catalog, which indicates no known widespread exploitation, but the potential for social‐engineering or internal misuse keeps the risk relevant.