Article - CS466866
Urgent: Path Traversal Vulnerability reported in Windchill and FlexPLM
Modified: 03-Apr-2026
Applies To
- Windchill PDMLink 11.0 M030
- FlexPLM 11.0 M030
- FlexPLM 11.1 M020
- Windchill PDMLink 11.1 M020
- Windchill PDMLink 11.2.1.0
- FlexPLM 11.2.1.0
- FlexPLM 12.0.0.0
- FlexPLM 12.0.2.0
- Windchill PDMLink 13.1.0.0
- Windchill PDMLink 13.0.2.0
- FlexPLM 12.1.2.0
- FlexPLM 12.1.3.0
- FlexPLM 12.0.3.0
- FlexPLM 13.0.2.0
- Windchill PDMLink 12.0.2.0
- FlexPLM 13.0.3.0
- Windchill PDMLink 13.1.1.0
- Windchill PDMLink 12.1.2.0
- Windchill PDMLink 13.1.2.0
- Windchill PDMLink 13.1.3.0
- This advisory applies to all CPS versions
- The identified vulnerability impacts Windchill and FlexPLM releases prior to 11.0 M030
Description
- The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory
- A CVE has not yet been assigned to this vulnerability
- CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
- CVSS v3.1 Base Score: 7.5 (High)
- CVSS v4 Base Score: 8.7 (High)
- At this time, there is no evidence of confirmed exploitation affecting PTC customers
This is a printer-friendly version of Article 466866 and may be out of date. For the latest version click CS466866