CVE-2025-27379

MEDIUM

Altium On-Prem Enterprise Server 7.0.3-7.0.6 - Authenticated Stored Cross-Site Scripting in BOM Viewer Description Field

Title source: llm

Description

A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content.

References (1)

Core 1

Core References

Various Sources

https://www.altium.com/platform/security-compliance/security-advisories

Scores

CVSS v3 6.8

EPSS 0.0020

EPSS Percentile 10.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

altium/on-prem_enterprise_server 7.0.3 - 7.0.6

Published Jan 22, 2026

Tracked Since Feb 18, 2026