CVE-2026-4681
Received
Received - Intake
Critical RCE via Deserialization in PTC Windchill and FlexPLM
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: 0b655efc-079c-4cb9-9e8d-164871239f4e
Description
Description
A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.
This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ptc | windchill | 11.0_m030 |
| ptc | windchill | 11.1_m020 |
| ptc | windchill | 11.2.1.0 |
| ptc | windchill | 12.0.2.0 |
| ptc | windchill | 12.1.2.0 |
| ptc | windchill | 13.0.2.0 |
| ptc | windchill | 13.1.0.0 |
| ptc | windchill | 13.1.1.0 |
| ptc | windchill | 13.1.2.0 |
| ptc | windchill | 13.1.3.0 |
| ptc | flexplm | 11.0_m030 |
| ptc | flexplm | 11.1_m020 |
| ptc | flexplm | 11.2.1.0 |
| ptc | flexplm | 12.0.0.0 |
| ptc | flexplm | 12.0.2.0 |
| ptc | flexplm | 12.0.3.0 |
| ptc | flexplm | 12.1.2.0 |
| ptc | flexplm | 12.1.3.0 |
| ptc | flexplm | 13.0.2.0 |
| ptc | flexplm | 13.0.3.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
