CVE 9.4 CRITICAL

Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write_CVE-2026-9102

May 20, 2026 invoker category_cve
9.4 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.




Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.

AI Analysis

Path traversal vulnerability allowing arbitrary file write and potential remote code execution

Basic Information

ID CVE-2026-9102
Source Altium
Published May 20, 2026 at 17:48

Affected Product

Vendor Altium
Product Altium Enterprise Server
Affected Versions Altium Altium Enterprise Server 0

CWE Classification

CWE-22 CWE-434

AI Assessment

AI Score 9.4 / 10
AI Severity Critical
Vendor Altium
Product Altium Enterprise Server

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.