CVE-2025-27378

AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.altium.com/platform/security-compliance/security-advisories	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:altium:on-prem_enterprise_server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-22 01:15

Updated : 2026-02-26 21:25

NVD link : CVE-2025-27378

Mitre link : CVE-2025-27378

CVE.ORG link : CVE-2025-27378

JSON object : View

Products Affected

altium

on-prem_enterprise_server

CWE

CWE-20

Improper Input Validation

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-27378", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-01-22T01:15:51.077", "references": [{"url": "https://www.altium.com/platform/security-compliance/security-advisories", "tags": ["Vendor Advisory"], "source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries."}, {"lang": "es", "value": "AES contiene una vulnerabilidad de inyecci\u00f3n SQL debido a una configuraci\u00f3n inactiva que impide que se aplique la l\u00f3gica de an\u00e1lisis SQL m\u00e1s reciente. Cuando esta configuraci\u00f3n no est\u00e1 habilitada, la entrada manipulada puede ser manejada incorrectamente, permitiendo a los atacantes inyectar y ejecutar consultas SQL arbitrarias."}], "lastModified": "2026-02-26T21:25:32.770", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:altium:on-prem_enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F31D6A7-989F-4647-AA13-38737112E369", "versionEndExcluding": "7.0.6", "versionStartIncluding": "7.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79"}