Stored Cross-Site Scripting Vulnerability in Altium 365 by Altium
CVE-2026-1008

7.6HIGH

Key Information:

Vendor: Altium
Status: Altium Live
Vendor: CVE Published:; 15 January 2026

What is CVE-2026-1008?

A stored cross-site scripting (XSS) vulnerability in Altium 365 enables authenticated users to exploit input fields in user profiles. Due to inadequate server-side input sanitization, attackers can inject arbitrary HTML and JavaScript payloads by using whitespace-based attribute parsing techniques. These injected scripts are saved and executed when other users access the affected profile page, posing risks such as session token theft, phishing attacks, and malicious redirects. Mitigation requires user interaction to trigger the attack, and only authenticated accounts can exploit this vulnerability.

Affected Version(s)

Altium Live Web 0 <= 1.2.2

References

https://www.altium.com/platform/security-compliance/secur...

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 15, 2026
Vulnerability Reserved
Jan 15, 2026

CVE-2026-1008 Data

JSON