CVE-2026-11420

216.73.216.233

· Published 05/06/2026 20:17 · Modified 05/06/2026 20:49

Labels: CVE-2026-11420 2026-06-05 4760f414-e1ae-4ff1-bdad-c7a9c3538b79 CVE-2026-11420 CWE-22

Essential information

Published: 05/06/2026 20:17
Modified: 05/06/2026 20:49
Author: —
Creator: —
CVSS: 10.0 CRITICAL (v3) 10.0 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server. No authentication, session, or credentials are required. Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, exploitation can be escalated to remote code execution in the context of the service account, and can disclose deployment package contents. Altium 365 cloud deployments are not affected, as the Network Installation Service is not part of the cloud offering.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: 4760f414-e1ae-4ff1-bdad-c7a9c3538b79
NVD: View on NVD

Affected products (CPE)

Product	CPE
altium / altium enterprise server	`cpe:2.3:a:altium:altium_enterprise_server::::::::`