CVE-2026-1010
Published: 15 January 2026
Summary
CVE-2026-1010 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Altium On-Prem Enterprise Server. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires server-side validation and sanitization of workflow form submission inputs to prevent injection of arbitrary JavaScript by authenticated users.
Mandates filtering of workflow data outputs when viewed by administrators, preventing execution of injected JavaScript in the browser context.
Enforces restrictions on information inputs to workflow forms, limiting the ability to submit malicious JavaScript payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct privilege escalation via malicious JS execution in admin context, matching T1068 exploitation for privilege escalation.
NVD Description
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected…
more
workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
Deeper analysisAI
CVE-2026-1010 is a stored cross-site scripting (XSS) vulnerability in the Altium Workflow Engine, caused by missing server-side input sanitization in workflow form submission APIs. This allows a regular authenticated user to inject arbitrary JavaScript into workflow data. The issue maps to CWE-79 (cross-site scripting) and CWE-269 (improper privilege management), with a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H). It was published on 2026-01-15.
An attacker with regular authenticated user privileges can exploit this vulnerability by submitting malicious payloads through workflow forms. When an administrator subsequently views the affected workflow, the injected JavaScript executes in the administrator's browser context. This leads to privilege escalation, enabling actions such as creating new administrator accounts, stealing session tokens, and executing other administrative operations.
Mitigation details are available in Altium's security advisory at https://www.altium.com/platform/security-compliance/security-advisories.
Details
- CWE(s)