CVE-2026-1010: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) in Altium Altium 365
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
CVE-2026-1010: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) in Altium Altium 365
Description
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Altium
- Date Reserved
- 2026-01-15T22:08:47.337Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696974917c726673b6855148
Added to database: 1/15/2026, 11:13:21 PM
Last updated: 1/15/2026, 11:16:09 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-22863: CWE-325: Missing Cryptographic Step in denoland deno
CriticalCVE-2026-1012
UnknownCVE-2026-22864: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in denoland deno
HighCVE-2025-68671: CWE-294: Authentication Bypass by Capture-replay in treeverse lakeFS
MediumCVE-2026-1009: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) in Altium Altium Forum (Altium 365)
CriticalActions
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.