Search criteria
6 vulnerabilities found for Altium Enterprise Server by Altium
CVE-2026-9129 (GCVE-0-2026-9129)
Vulnerability from nvd – Published: 2026-05-20 18:05 – Updated: 2026-05-20 19:28
VLAI?
Title
Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read
Summary
A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.
Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.
Severity ?
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Altium | Altium Enterprise Server |
Affected:
0 , < 8.0.4
(semver)
|
Date Public ?
2026-05-20 21:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T19:27:51.245372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T19:28:30.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Viewer StorageController (localStorage API)"
],
"platforms": [
"Web"
],
"product": "Altium Enterprise Server",
"vendor": "Altium",
"versions": [
{
"lessThan": "8.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joris Aerts, Tesla Inc."
}
],
"datePublic": "2026-05-20T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cp\u003eBecause the readable files include the server\u0027s master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.\u003c/p\u003e"
}
],
"value": "A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.\n\n\n\n\n\n\n\n\nBecause the readable files include the server\u0027s master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
},
{
"capecId": "CAPEC-639",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-639 Probe System Files"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T18:05:29.442Z",
"orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"shortName": "Altium"
},
"references": [
{
"url": "https://www.altium.com/platform/security-compliance/security-advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"assignerShortName": "Altium",
"cveId": "CVE-2026-9129",
"datePublished": "2026-05-20T18:05:29.442Z",
"dateReserved": "2026-05-20T17:52:55.487Z",
"dateUpdated": "2026-05-20T19:28:30.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9102 (GCVE-0-2026-9102)
Vulnerability from nvd – Published: 2026-05-20 17:48 – Updated: 2026-05-20 19:30
VLAI?
Title
Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write
Summary
A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.
Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.
Severity ?
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Altium | Altium Enterprise Server |
Affected:
0 , < 8.0.4
(semver)
|
Date Public ?
2026-05-20 21:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T19:28:45.927399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T19:30:23.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"ComparisonService (Gerber upload API)"
],
"platforms": [
"Web"
],
"product": "Altium Enterprise Server",
"vendor": "Altium",
"versions": [
{
"lessThan": "8.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joris Aerts, Tesla Inc."
}
],
"datePublic": "2026-05-20T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.\u003c/p\u003e\n\u003cp\u003eBecause content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.\u003c/p\u003e"
}
],
"value": "A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.\n\n\n\n\nBecause content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
},
{
"capecId": "CAPEC-650",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-650 Upload a Web Shell to a Web Server"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted upload of file with dangerous type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T17:48:31.798Z",
"orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"shortName": "Altium"
},
"references": [
{
"url": "https://www.altium.com/platform/security-compliance/security-advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"assignerShortName": "Altium",
"cveId": "CVE-2026-9102",
"datePublished": "2026-05-20T17:48:31.798Z",
"dateReserved": "2026-05-20T16:06:24.984Z",
"dateUpdated": "2026-05-20T19:30:23.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1010 (GCVE-0-2026-1010)
Vulnerability from nvd – Published: 2026-01-15 23:00 – Updated: 2026-02-05 22:07
VLAI?
Title
Stored Cross-Site Scripting in Altium Enterprise Server Workflow Engine Allows Privilege Escalation
Summary
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.
When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
Severity ?
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Altium | Altium Enterprise Server |
Affected:
0 , ≤ 8.0.1
(semver)
|
Date Public ?
2026-01-15 22:58
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1010",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T17:05:21.932214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T17:05:38.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Workflow Engine (Part Request submit-form API)"
],
"platforms": [
"Web"
],
"product": "Altium Enterprise Server",
"vendor": "Altium",
"versions": [
{
"lessThanOrEqual": "8.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-01-15T22:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.\u003cbr\u003e\u003cbr\u003eWhen an administrator views the affected workflow, the injected payload executes in the administrator\u2019s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.\n\nWhen an administrator views the affected workflow, the injected payload executes in the administrator\u2019s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
},
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T22:07:23.193Z",
"orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"shortName": "Altium"
},
"references": [
{
"url": "https://www.altium.com/platform/security-compliance/security-advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting in Altium Enterprise Server Workflow Engine Allows Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"assignerShortName": "Altium",
"cveId": "CVE-2026-1010",
"datePublished": "2026-01-15T23:00:18.163Z",
"dateReserved": "2026-01-15T22:08:47.337Z",
"dateUpdated": "2026-02-05T22:07:23.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9129 (GCVE-0-2026-9129)
Vulnerability from cvelistv5 – Published: 2026-05-20 18:05 – Updated: 2026-05-20 19:28
VLAI?
Title
Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read
Summary
A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.
Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.
Severity ?
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Altium | Altium Enterprise Server |
Affected:
0 , < 8.0.4
(semver)
|
Date Public ?
2026-05-20 21:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T19:27:51.245372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T19:28:30.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Viewer StorageController (localStorage API)"
],
"platforms": [
"Web"
],
"product": "Altium Enterprise Server",
"vendor": "Altium",
"versions": [
{
"lessThan": "8.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joris Aerts, Tesla Inc."
}
],
"datePublic": "2026-05-20T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cp\u003eBecause the readable files include the server\u0027s master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.\u003c/p\u003e"
}
],
"value": "A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.\n\n\n\n\n\n\n\n\nBecause the readable files include the server\u0027s master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
},
{
"capecId": "CAPEC-639",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-639 Probe System Files"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T18:05:29.442Z",
"orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"shortName": "Altium"
},
"references": [
{
"url": "https://www.altium.com/platform/security-compliance/security-advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"assignerShortName": "Altium",
"cveId": "CVE-2026-9129",
"datePublished": "2026-05-20T18:05:29.442Z",
"dateReserved": "2026-05-20T17:52:55.487Z",
"dateUpdated": "2026-05-20T19:28:30.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9102 (GCVE-0-2026-9102)
Vulnerability from cvelistv5 – Published: 2026-05-20 17:48 – Updated: 2026-05-20 19:30
VLAI?
Title
Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write
Summary
A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.
Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.
Severity ?
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Altium | Altium Enterprise Server |
Affected:
0 , < 8.0.4
(semver)
|
Date Public ?
2026-05-20 21:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T19:28:45.927399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T19:30:23.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"ComparisonService (Gerber upload API)"
],
"platforms": [
"Web"
],
"product": "Altium Enterprise Server",
"vendor": "Altium",
"versions": [
{
"lessThan": "8.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joris Aerts, Tesla Inc."
}
],
"datePublic": "2026-05-20T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.\u003c/p\u003e\n\u003cp\u003eBecause content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.\u003c/p\u003e"
}
],
"value": "A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.\n\n\n\n\nBecause content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
},
{
"capecId": "CAPEC-650",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-650 Upload a Web Shell to a Web Server"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted upload of file with dangerous type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T17:48:31.798Z",
"orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"shortName": "Altium"
},
"references": [
{
"url": "https://www.altium.com/platform/security-compliance/security-advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"assignerShortName": "Altium",
"cveId": "CVE-2026-9102",
"datePublished": "2026-05-20T17:48:31.798Z",
"dateReserved": "2026-05-20T16:06:24.984Z",
"dateUpdated": "2026-05-20T19:30:23.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1010 (GCVE-0-2026-1010)
Vulnerability from cvelistv5 – Published: 2026-01-15 23:00 – Updated: 2026-02-05 22:07
VLAI?
Title
Stored Cross-Site Scripting in Altium Enterprise Server Workflow Engine Allows Privilege Escalation
Summary
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.
When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
Severity ?
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Altium | Altium Enterprise Server |
Affected:
0 , ≤ 8.0.1
(semver)
|
Date Public ?
2026-01-15 22:58
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1010",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T17:05:21.932214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T17:05:38.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Workflow Engine (Part Request submit-form API)"
],
"platforms": [
"Web"
],
"product": "Altium Enterprise Server",
"vendor": "Altium",
"versions": [
{
"lessThanOrEqual": "8.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-01-15T22:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.\u003cbr\u003e\u003cbr\u003eWhen an administrator views the affected workflow, the injected payload executes in the administrator\u2019s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.\n\nWhen an administrator views the affected workflow, the injected payload executes in the administrator\u2019s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
},
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T22:07:23.193Z",
"orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"shortName": "Altium"
},
"references": [
{
"url": "https://www.altium.com/platform/security-compliance/security-advisories"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting in Altium Enterprise Server Workflow Engine Allows Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79",
"assignerShortName": "Altium",
"cveId": "CVE-2026-1010",
"datePublished": "2026-01-15T23:00:18.163Z",
"dateReserved": "2026-01-15T22:08:47.337Z",
"dateUpdated": "2026-02-05T22:07:23.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}