CVE-2026-1011
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-01-16
Assigner: Altium
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| altium | altium_support_center | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in the Altium Support Center's AddComment endpoint. It occurs because the server does not properly sanitize input on the backend, allowing attackers to submit arbitrary HTML and JavaScript via modified POST requests. Although the client interface escapes HTML, the backend stores and later renders this malicious content exactly as submitted when support cases are viewed by other users, including privileged support staff. This enables execution of arbitrary JavaScript in the browsers of those users.
How can this vulnerability impact me? :
The vulnerability can lead to execution of arbitrary JavaScript code in the browsers of users who view the affected support cases, including support staff with elevated privileges. This can result in theft of sensitive information, session hijacking, unauthorized actions performed on behalf of users, and potential compromise of user accounts or internal systems.