Article - CS466867
Workarounds for Windchill and FlexPLM Path Traversal Vulnerability in Out of Support Releases
Modified: 02-Apr-2026
Applies To
- Windchill PDMLink 9.0 to 10.2
- FlexPLM 9.0 to 10.2
- Apache HTTP Server 2.0-2.2
Description
- Workarounds for Path Traversal Vulnerability in Windchill and FlexPLM Out of Support Releases
- For details related to this Urgent Path Traversal vulnerability refer to:
- CS466866 (main article; provides guidance and actions required for Windchill and FLexPLM releases 11.0 and above)
- A CVE has not yet been assigned to this vulnerability
- CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
- CVSS v3.1 Base Score: 7.5 (High)
- CVSS v4 Base Score: 8.7 (High)
- For Windchill and FlexPLM releases prior to 11.0 PTC's primary recommendation remains that you should disconnect your system from the public Internet until you are able to upgrade to a release where the workaround and future product fixes will be made available.
This is a printer-friendly version of Article 466867 and may be out of date. For the latest version click CS466867