Search
Find a vulnerability
Search criteria
4 vulnerabilities found for flexplm by ptc
CVE-2026-12569 (GCVE-0-2026-12569)
Vulnerability from nvd – Published: 2026-06-18 00:11 – Updated: 2026-06-30 17:34Title
Remote Code Execution (RCE) vulnerability in Windchill PDMlink
Summary
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions
* The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
Severity
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ptc.com/en/support/article/CS473270 | vendor-advisorymitigationpermissions-required |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PTC | Windchill PDMLink |
Affected:
0 , ≤ 11.0 M030
(semver)
Affected: 11.1 M020 Affected: 11.2.1.0 Affected: 12.0.2.0 Affected: 12.1.2.0 Affected: 13.0.2.0 Affected: 13.1.0.0 Affected: 13.1.1.0 Affected: 13.1.2.0 Affected: 13.1.3.0 |
|
| PTC | FlexPLM |
Affected:
0 , ≤ 11.0 M030
(semver)
Affected: 11.1 M020 Affected: 11.2.1.0 Affected: 12.0.0.0 Affected: 12.0.2.0 Affected: 12.1.2.0 Affected: 12.1.3.0 Affected: 13.0.2.0 Affected: 13.0.3.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12569",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T03:56:12.541322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-06-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-12569"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T17:34:13.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-12569"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Windchill PDMLink",
"vendor": "PTC",
"versions": [
{
"lessThanOrEqual": "11.0 M030",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.1 M020"
},
{
"status": "affected",
"version": "11.2.1.0"
},
{
"status": "affected",
"version": "12.0.2.0"
},
{
"status": "affected",
"version": "12.1.2.0"
},
{
"status": "affected",
"version": "13.0.2.0"
},
{
"status": "affected",
"version": "13.1.0.0"
},
{
"status": "affected",
"version": "13.1.1.0"
},
{
"status": "affected",
"version": "13.1.2.0"
},
{
"status": "affected",
"version": "13.1.3.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "FlexPLM",
"vendor": "PTC",
"versions": [
{
"lessThanOrEqual": "11.0 M030",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.1 M020"
},
{
"status": "affected",
"version": "11.2.1.0"
},
{
"status": "affected",
"version": "12.0.0.0"
},
{
"status": "affected",
"version": "12.0.2.0"
},
{
"status": "affected",
"version": "12.1.2.0"
},
{
"status": "affected",
"version": "12.1.3.0"
},
{
"status": "affected",
"version": "13.0.2.0"
},
{
"status": "affected",
"version": "13.0.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\u0026nbsp;\u003cdiv\u003e\u003cul\u003e\u003cli\u003eThis advisory also applies to all CPS versions\u003c/li\u003e\u003cli\u003eThe identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
}
],
"value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\u00a0 * This advisory also applies to all CPS versions\n * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030"
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
},
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of untrusted data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T00:11:35.241Z",
"orgId": "0b655efc-079c-4cb9-9e8d-164871239f4e",
"shortName": "PTC"
},
"references": [
{
"tags": [
"vendor-advisory",
"mitigation",
"permissions-required"
],
"url": "https://www.ptc.com/en/support/article/CS473270"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution (RCE) vulnerability in Windchill PDMlink",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0b655efc-079c-4cb9-9e8d-164871239f4e",
"assignerShortName": "PTC",
"cveId": "CVE-2026-12569",
"datePublished": "2026-06-18T00:11:35.241Z",
"dateReserved": "2026-06-18T00:02:58.904Z",
"dateUpdated": "2026-06-30T17:34:13.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4681 (GCVE-0-2026-4681)
Vulnerability from nvd – Published: 2026-03-23 21:48 – Updated: 2026-03-24 14:49
VLAI
KEVIntel
Title
Critical Remote Code Execution vulnerability reported in Windchill
Summary
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.
This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ptc.com/en/about/trust-center/advisor… | vendor-advisorymitigation |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PTC | Windchill PDMLink |
Affected:
11.0 M030
(semver)
Affected: 11.1 M020 (semver) Affected: 11.2.1.0 (semver) Affected: 12.0.2.0 (semver) Affected: 12.1.2.0 (semver) Affected: 13.0.2.0 (semver) Affected: 13.1.0.0 Affected: 13.1.1.0 Affected: 13.1.2.0 Affected: 13.1.3.0 |
|
| PTC | FlexPLM |
Affected:
11.0 M030
Affected: 11.1 M020 Affected: 11.2.1.0 Affected: 12.0.0.0 Affected: 12.0.2.0 Affected: 12.0.3.0 Affected: 12.1.2.0 Affected: 12.1.3.0 Affected: 13.0.2.0 Affected: 13.0.3.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:48:53.854433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:49:43.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Windchill PDMLink",
"vendor": "PTC",
"versions": [
{
"status": "affected",
"version": "11.0 M030",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.1 M020",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.2.1.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "12.0.2.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "12.1.2.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "13.0.2.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "13.1.0.0"
},
{
"status": "affected",
"version": "13.1.1.0"
},
{
"status": "affected",
"version": "13.1.2.0"
},
{
"status": "affected",
"version": "13.1.3.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "FlexPLM",
"vendor": "PTC",
"versions": [
{
"status": "affected",
"version": "11.0 M030"
},
{
"status": "affected",
"version": "11.1 M020"
},
{
"status": "affected",
"version": "11.2.1.0"
},
{
"status": "affected",
"version": "12.0.0.0"
},
{
"status": "affected",
"version": "12.0.2.0"
},
{
"status": "affected",
"version": "12.0.3.0"
},
{
"status": "affected",
"version": "12.1.2.0"
},
{
"status": "affected",
"version": "12.1.3.0"
},
{
"status": "affected",
"version": "13.0.2.0"
},
{
"status": "affected",
"version": "13.0.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan\u003eA critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\n\nThis issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T21:48:05.652Z",
"orgId": "0b655efc-079c-4cb9-9e8d-164871239f4e",
"shortName": "PTC"
},
"references": [
{
"tags": [
"vendor-advisory",
"mitigation"
],
"url": "https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability?srsltid=AfmBOop3e7Nthx5-BsrjKdpZi50wL6l6Bt21Fz0gUub2cIPgdPGV5bNl"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Critical Remote Code Execution vulnerability reported in Windchill",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "0b655efc-079c-4cb9-9e8d-164871239f4e",
"assignerShortName": "PTC",
"cveId": "CVE-2026-4681",
"datePublished": "2026-03-23T21:48:05.652Z",
"dateReserved": "2026-03-23T21:42:24.158Z",
"dateUpdated": "2026-03-24T14:49:43.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12569 (GCVE-0-2026-12569)
Vulnerability from cvelistv5 – Published: 2026-06-18 00:11 – Updated: 2026-06-30 17:34Title
Remote Code Execution (RCE) vulnerability in Windchill PDMlink
Summary
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * This advisory also applies to all CPS versions
* The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030
Severity
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ptc.com/en/support/article/CS473270 | vendor-advisorymitigationpermissions-required |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PTC | Windchill PDMLink |
Affected:
0 , ≤ 11.0 M030
(semver)
Affected: 11.1 M020 Affected: 11.2.1.0 Affected: 12.0.2.0 Affected: 12.1.2.0 Affected: 13.0.2.0 Affected: 13.1.0.0 Affected: 13.1.1.0 Affected: 13.1.2.0 Affected: 13.1.3.0 |
|
| PTC | FlexPLM |
Affected:
0 , ≤ 11.0 M030
(semver)
Affected: 11.1 M020 Affected: 11.2.1.0 Affected: 12.0.0.0 Affected: 12.0.2.0 Affected: 12.1.2.0 Affected: 12.1.3.0 Affected: 13.0.2.0 Affected: 13.0.3.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12569",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T03:56:12.541322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-06-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-12569"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T17:34:13.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-12569"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Windchill PDMLink",
"vendor": "PTC",
"versions": [
{
"lessThanOrEqual": "11.0 M030",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.1 M020"
},
{
"status": "affected",
"version": "11.2.1.0"
},
{
"status": "affected",
"version": "12.0.2.0"
},
{
"status": "affected",
"version": "12.1.2.0"
},
{
"status": "affected",
"version": "13.0.2.0"
},
{
"status": "affected",
"version": "13.1.0.0"
},
{
"status": "affected",
"version": "13.1.1.0"
},
{
"status": "affected",
"version": "13.1.2.0"
},
{
"status": "affected",
"version": "13.1.3.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "FlexPLM",
"vendor": "PTC",
"versions": [
{
"lessThanOrEqual": "11.0 M030",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.1 M020"
},
{
"status": "affected",
"version": "11.2.1.0"
},
{
"status": "affected",
"version": "12.0.0.0"
},
{
"status": "affected",
"version": "12.0.2.0"
},
{
"status": "affected",
"version": "12.1.2.0"
},
{
"status": "affected",
"version": "12.1.3.0"
},
{
"status": "affected",
"version": "13.0.2.0"
},
{
"status": "affected",
"version": "13.0.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\u0026nbsp;\u003cdiv\u003e\u003cul\u003e\u003cli\u003eThis advisory also applies to all CPS versions\u003c/li\u003e\u003cli\u003eThe identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
}
],
"value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\u00a0 * This advisory also applies to all CPS versions\n * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030"
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
},
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of untrusted data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T00:11:35.241Z",
"orgId": "0b655efc-079c-4cb9-9e8d-164871239f4e",
"shortName": "PTC"
},
"references": [
{
"tags": [
"vendor-advisory",
"mitigation",
"permissions-required"
],
"url": "https://www.ptc.com/en/support/article/CS473270"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution (RCE) vulnerability in Windchill PDMlink",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0b655efc-079c-4cb9-9e8d-164871239f4e",
"assignerShortName": "PTC",
"cveId": "CVE-2026-12569",
"datePublished": "2026-06-18T00:11:35.241Z",
"dateReserved": "2026-06-18T00:02:58.904Z",
"dateUpdated": "2026-06-30T17:34:13.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4681 (GCVE-0-2026-4681)
Vulnerability from cvelistv5 – Published: 2026-03-23 21:48 – Updated: 2026-03-24 14:49
VLAI
KEVIntel
Title
Critical Remote Code Execution vulnerability reported in Windchill
Summary
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.
This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ptc.com/en/about/trust-center/advisor… | vendor-advisorymitigation |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PTC | Windchill PDMLink |
Affected:
11.0 M030
(semver)
Affected: 11.1 M020 (semver) Affected: 11.2.1.0 (semver) Affected: 12.0.2.0 (semver) Affected: 12.1.2.0 (semver) Affected: 13.0.2.0 (semver) Affected: 13.1.0.0 Affected: 13.1.1.0 Affected: 13.1.2.0 Affected: 13.1.3.0 |
|
| PTC | FlexPLM |
Affected:
11.0 M030
Affected: 11.1 M020 Affected: 11.2.1.0 Affected: 12.0.0.0 Affected: 12.0.2.0 Affected: 12.0.3.0 Affected: 12.1.2.0 Affected: 12.1.3.0 Affected: 13.0.2.0 Affected: 13.0.3.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:48:53.854433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:49:43.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Windchill PDMLink",
"vendor": "PTC",
"versions": [
{
"status": "affected",
"version": "11.0 M030",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.1 M020",
"versionType": "semver"
},
{
"status": "affected",
"version": "11.2.1.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "12.0.2.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "12.1.2.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "13.0.2.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "13.1.0.0"
},
{
"status": "affected",
"version": "13.1.1.0"
},
{
"status": "affected",
"version": "13.1.2.0"
},
{
"status": "affected",
"version": "13.1.3.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "FlexPLM",
"vendor": "PTC",
"versions": [
{
"status": "affected",
"version": "11.0 M030"
},
{
"status": "affected",
"version": "11.1 M020"
},
{
"status": "affected",
"version": "11.2.1.0"
},
{
"status": "affected",
"version": "12.0.0.0"
},
{
"status": "affected",
"version": "12.0.2.0"
},
{
"status": "affected",
"version": "12.0.3.0"
},
{
"status": "affected",
"version": "12.1.2.0"
},
{
"status": "affected",
"version": "12.1.3.0"
},
{
"status": "affected",
"version": "13.0.2.0"
},
{
"status": "affected",
"version": "13.0.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan\u003eA critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.\n\nThis issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/R:U/V:C/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T21:48:05.652Z",
"orgId": "0b655efc-079c-4cb9-9e8d-164871239f4e",
"shortName": "PTC"
},
"references": [
{
"tags": [
"vendor-advisory",
"mitigation"
],
"url": "https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability?srsltid=AfmBOop3e7Nthx5-BsrjKdpZi50wL6l6Bt21Fz0gUub2cIPgdPGV5bNl"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Critical Remote Code Execution vulnerability reported in Windchill",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "0b655efc-079c-4cb9-9e8d-164871239f4e",
"assignerShortName": "PTC",
"cveId": "CVE-2026-4681",
"datePublished": "2026-03-23T21:48:05.652Z",
"dateReserved": "2026-03-23T21:42:24.158Z",
"dateUpdated": "2026-03-24T14:49:43.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}