CVE-2026-1008
Published: 15 January 2026
Summary
CVE-2026-1008 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Altium Altium Live. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-1008 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the user profile text fields in Altium 365. The issue arises from insufficient server-side input sanitization, which permits authenticated users to inject arbitrary HTML and JavaScript payloads by exploiting whitespace-based attribute parsing bypass techniques. Published on 2026-01-15, the vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).
An authenticated attacker can exploit this vulnerability by injecting a malicious payload into their own profile text field, where it is persisted on the server. When other users view the attacker's profile page, the payload executes in their browsers, enabling potential session token theft, phishing attacks, or malicious redirects. Successful exploitation requires an authenticated account for the attacker and user interaction from victims to access the crafted profile.
Mitigation details are available in Altium's security advisory at https://www.altium.com/platform/security-compliance/security-advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3046
Vulnerability details
A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is…
more
persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing web app directly enables client-side JS execution (T1059.007) via profile injection (T1190) and session cookie theft (T1539).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the insufficient server-side input sanitization by enforcing validation and restriction of user inputs in profile text fields to prevent HTML/JavaScript injection.
Prevents execution of injected payloads by filtering and encoding information output when rendering affected user profile pages.
Restricts profile text field inputs to safe character sets, reducing the risk of whitespace-based attribute parsing bypasses for XSS payloads.