HOMEVULNERABILITIESCVE-2026-9102
CRITICAL

CVE-2026-9102

CWE-22Published: May 20, 2026· Updated: May 21, 2026

9.4
CVSS v3.1
EPSS:0.48%probability of exploitation in 30 daysPercentile:65.5th

Official Description

A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.

Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.

NVD Source

Risk Analysis

This critical path traversal vulnerability in Altium Enterprise Server ComparisonService allows an authenticated user to write arbitrary files to any location on the server filesystem. The flaw is due to missing filename sanitization in Gerber file upload APIs. With a CVSSv4 score of 9.4, this can be escalated to remote code execution or service takeover by overwriting application binaries or configuration files.

No public exploit is currently known for this vulnerability. The vulnerability is remotely exploitable by an authenticated user over the network with low attack complexity.

Recommended Action

Organizations using Altium Enterprise Server should apply available patches to address the filename sanitization issue. Implement robust input validation for uploaded filenames and restrict write permissions to critical directories.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2026-9102 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeX
Impact
Confidentiality
Integrity
Availability
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (1)

Quick Facts

CVE IDCVE-2026-9102
CVSS Score9.4 / 10
SeverityCRITICAL
WeaknessCWE-22
CISA KEVNo
EPSS (30d)0.48%
PublishedMay 20, 2026

Related CVEs (CWE-22)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-9102 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.