[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-11423":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T14:55:36.164Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":292,"aliases":293,"duplicate_of":9,"upstream":294,"downstream":295,"duplicates":296,"related":297,"reserved_at":9,"published_at":298,"modified_at":298,"state":299,"summary":300,"references_raw":309,"kevs":315,"epss":316,"epss_history":319,"metrics":321,"affected":328},"CVE-2026-11423","A path traversal vulnerability exists in the Altium Enterprise Server Collaboration Service due to improper handling of user-supplied filenames in the MCAD and Simulation file download flows. A regular authenticated user can submit a collaboration message containing a crafted filename, which is later used to construct the download path on the server without validation, allowing arbitrary files to be read from the server filesystem.\n\n\n\n\nBecause the readable files include the server's master configuration, which stores credentials for privileged accounts, exploitation can lead to authenticating as a system administrator and gaining full control of the server. Altium 365 cloud deployments are not affected.",null,[11,40],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-22","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.","weakness","Stable","Base","High",[20,24,28,32,36],{"id":21,"name":22,"techniques":23},"CAPEC-126","Path Traversal",[],{"id":25,"name":26,"techniques":27},"CAPEC-64","Using Slashes and URL Encoding Combined to Bypass Validation Logic",[],{"id":29,"name":30,"techniques":31},"CAPEC-76","Manipulating Web Input to File System Calls",[],{"id":33,"name":34,"techniques":35},"CAPEC-78","Using Escaped Slashes in Alternate Encoding",[],{"id":37,"name":38,"techniques":39},"CAPEC-79","Using Slashes in Alternate Encoding",[],{"_key":41,"id":41,"name":42,"description":43,"type":15,"status":44,"abstraction":45,"likelihood_of_exploit":46,"capec":47},"CWE-269","Improper Privilege Management","The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.","Draft","Class","Medium",[48,210,288],{"id":49,"name":50,"techniques":51},"CAPEC-122","Privilege Abuse",[52],{"id":53,"name":54,"tactics":55,"countermeasures":62},"T1548","Abuse Elevation Control Mechanism",[56,59],{"id":57,"name":58},"TA0030","Defense Evasion",{"id":60,"name":61},"TA0111","Privilege Escalation",[63,68,72,76,80,85,89,93,97,101,105,109,113,117,122,126,131,136,140,144,148,153,157,161,165,169,174,178,182,186,190,194,198,202,206],{"id":64,"name":65,"tactic":66},"D3-CI","Configuration Inventory",{"name":67},"Model",{"id":69,"name":70,"tactic":71},"D3-AM","Access Modeling",{"name":67},{"id":73,"name":74,"tactic":75},"D3-DI","Data Inventory",{"name":67},{"id":77,"name":78,"tactic":79},"D3-NTPM","Network Traffic Policy Mapping",{"name":67},{"id":81,"name":82,"tactic":83},"D3-AEM","Application Exception Monitoring",{"name":84},"Detect",{"id":86,"name":87,"tactic":88},"D3-SCA","System Call Analysis",{"name":84},{"id":90,"name":91,"tactic":92},"D3-SFA","System File Analysis",{"name":84},{"id":94,"name":95,"tactic":96},"D3-FA","File Analysis",{"name":84},{"id":98,"name":99,"tactic":100},"D3-FIM","File Integrity Monitoring",{"name":84},{"id":102,"name":103,"tactic":104},"D3-OPM","Operational Process Monitoring",{"name":84},{"id":106,"name":107,"tactic":108},"D3-DA","Dynamic Analysis",{"name":84},{"id":110,"name":111,"tactic":112},"D3-EFA","Emulated File Analysis",{"name":84},{"id":114,"name":115,"tactic":116},"D3-PSA","Process Spawn Analysis",{"name":84},{"id":118,"name":119,"tactic":120},"D3-FEV","File Eviction",{"name":121},"Evict",{"id":123,"name":124,"tactic":125},"D3-AL","Account Locking",{"name":121},{"id":127,"name":128,"tactic":129},"D3-DF","Decoy File",{"name":130},"Deceive",{"id":132,"name":133,"tactic":134},"D3-FE","File Encryption",{"name":135},"Harden",{"id":137,"name":138,"tactic":139},"D3-AA","Agent Authentication",{"name":135},{"id":141,"name":142,"tactic":143},"D3-CDP","Change Default Password",{"name":135},{"id":145,"name":146,"tactic":147},"D3-SCP","System Configuration Permissions",{"name":135},{"id":149,"name":150,"tactic":151},"D3-RC","Restore Configuration",{"name":152},"Restore",{"id":154,"name":155,"tactic":156},"D3-RF","Restore File",{"name":152},{"id":158,"name":159,"tactic":160},"D3-ULA","Unlock Account",{"name":152},{"id":162,"name":163,"tactic":164},"D3-RUAA","Restore User Account Access",{"name":152},{"id":166,"name":167,"tactic":168},"D3-RD","Restore Database",{"name":152},{"id":170,"name":171,"tactic":172},"D3-SCF","System Call Filtering",{"name":173},"Isolate",{"id":175,"name":176,"tactic":177},"D3-CF","Content Filtering",{"name":173},{"id":179,"name":180,"tactic":181},"D3-LFP","Local File Permissions",{"name":173},{"id":183,"name":184,"tactic":185},"D3-RFAM","Remote File Access Mediation",{"name":173},{"id":187,"name":188,"tactic":189},"D3-CQ","Content Quarantine",{"name":173},{"id":191,"name":192,"tactic":193},"D3-CM","Content Modification",{"name":173},{"id":195,"name":196,"tactic":197},"D3-UAP","User Account Permissions",{"name":173},{"id":199,"name":200,"tactic":201},"D3-EAL","Executable Allowlisting",{"name":173},{"id":203,"name":204,"tactic":205},"D3-EDL","Executable Denylisting",{"name":173},{"id":207,"name":208,"tactic":209},"D3-HBPI","Hardware-based Process Isolation",{"name":173},{"id":211,"name":61,"techniques":212},"CAPEC-233",[213],{"id":53,"name":54,"tactics":214,"countermeasures":217},[215,216],{"id":57,"name":58},{"id":60,"name":61},[218,220,222,224,226,228,230,232,234,236,238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,274,276,278,280,282,284,286],{"id":64,"name":65,"tactic":219},{"name":67},{"id":69,"name":70,"tactic":221},{"name":67},{"id":73,"name":74,"tactic":223},{"name":67},{"id":77,"name":78,"tactic":225},{"name":67},{"id":81,"name":82,"tactic":227},{"name":84},{"id":86,"name":87,"tactic":229},{"name":84},{"id":90,"name":91,"tactic":231},{"name":84},{"id":94,"name":95,"tactic":233},{"name":84},{"id":98,"name":99,"tactic":235},{"name":84},{"id":102,"name":103,"tactic":237},{"name":84},{"id":106,"name":107,"tactic":239},{"name":84},{"id":110,"name":111,"tactic":241},{"name":84},{"id":114,"name":115,"tactic":243},{"name":84},{"id":118,"name":119,"tactic":245},{"name":121},{"id":123,"name":124,"tactic":247},{"name":121},{"id":127,"name":128,"tactic":249},{"name":130},{"id":132,"name":133,"tactic":251},{"name":135},{"id":137,"name":138,"tactic":253},{"name":135},{"id":141,"name":142,"tactic":255},{"name":135},{"id":145,"name":146,"tactic":257},{"name":135},{"id":149,"name":150,"tactic":259},{"name":152},{"id":154,"name":155,"tactic":261},{"name":152},{"id":158,"name":159,"tactic":263},{"name":152},{"id":162,"name":163,"tactic":265},{"name":152},{"id":166,"name":167,"tactic":267},{"name":152},{"id":170,"name":171,"tactic":269},{"name":173},{"id":175,"name":176,"tactic":271},{"name":173},{"id":179,"name":180,"tactic":273},{"name":173},{"id":183,"name":184,"tactic":275},{"name":173},{"id":187,"name":188,"tactic":277},{"name":173},{"id":191,"name":192,"tactic":279},{"name":173},{"id":195,"name":196,"tactic":281},{"name":173},{"id":199,"name":200,"tactic":283},{"name":173},{"id":203,"name":204,"tactic":285},{"name":173},{"id":207,"name":208,"tactic":287},{"name":173},{"id":289,"name":290,"techniques":291},"CAPEC-58","Restful Privilege Elevation",[],[],[],[],[],[],[],"2026-06-05T20:12:50.667Z","Received",{"cisa_kev":301,"cisa_ransomware":301,"cisa_vendor":9,"epss_severity":302,"epss_score":303,"severity":304,"severity_score":305,"severity_version":306,"severity_source":307,"severity_vector":308,"severity_status":299},false,"low",0.00046,"critical",9.4,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",[310],{"url":311,"sources":312,"tags":314},"https://www.altium.com/platform/security-compliance/security-advisories",[307,313],"nvd",[],[],{"date":317,"score":303,"percentile":318},"2026-06-06",0.14519,[320],{"date":317,"score":303,"percentile":318},[322,325],{"source":307,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":323},{"baseScore":305,"baseSeverity":324,"vectorString":308,"impactScore":9,"exploitabilityScore":9},"CRITICAL",{"source":313,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":326},{"baseScore":305,"baseSeverity":324,"vectorString":327,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",[329],{"ecosystem":9,"name":330,"vendor":331,"product":332,"cpe_part":333,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":334},"Altium Enterprise Server","altium","altium enterprise server","a",[335],{"version":336,"is_range":337,"range_type":307,"version_start":9,"version_start_type":9,"version_end":338,"version_end_type":339,"fixed_in":9},"\u003C 8.1.1",true,"8.1.1","excluding"]