CVE-2026-1009
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: Altium
Description
Description
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post.
Successful exploitation allows the attackerβs payload to execute in the context of the victimβs authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| altium | altium_365 | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
