Altium Live
CVE-2026-1008
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile.
AnalysisAI
Stored XSS in Altium Live user profile fields allows authenticated attackers to inject malicious scripts that execute when other users view the compromised profile, potentially enabling session hijacking or phishing attacks. The vulnerability stems from inadequate server-side input validation that fails to properly sanitize whitespace-based attribute injection techniques. Exploitation requires a valid user account and victim interaction but carries high risk due to cross-site impact affecting other platform users.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Altium Live. A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticat
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
More in Altium Live
View allAltium Forum has stored XSS in forum posts with scope change (CVSS 9.0). Authenticated attackers can inject JavaScript t
Stored XSS in Altium Live's Support Center AddComment endpoint allows attackers to inject malicious JavaScript that pers
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today