Article - CS466318
Critical RCE Vulnerability reported in Windchill
Modified: 23-Mar-2026
Applies To
- Windchill PDMLink 11.0 M030
- Windchill PDMLink 11.1 M020
- Windchill PDMLink 11.2.1.0
- Windchill PDMLink 12.0.2.0
- Windchill PDMLink 12.1.2.0
- Windchill PDMLink 13.0.2.0
- Windchill PDMLink 13.1.0.0
- Windchill PDMLink 13.1.1.0
- Windchill PDMLink 13.1.2.0
- Windchill PDMLink 13.1.3.0
- FlexPLM 11.0 M030
- FlexPLM 11.1 M020
- FlexPLM 11.2.1.0
- FlexPLM 12.0.0.0
- FlexPLM 12.0.2.0
- FlexPLM 12.0.3.0
- FlexPLM 12.1.2.0
- FlexPLM 12.1.3.0
- FlexPLM 13.0.2.0
- FlexPLM 13.0.3.0
- This advisory applies to all CPS versions
- The identified vulnerability impacts Windchill and FlexPLM releases prior to 11.0 M030
Description
- The vulnerability is a Remote Code Execution (RCE) issue that may be exploited through deserialization of untrusted data
- CVE-2026-4681 has been reported
- CWE - CWE-94: Improper Control of Generation of Code ('Code Injection') (4.19.1)
- Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
- CVSS v3.1 Base Score: 10.0 (Critical)
- CVSS v4 Base Score: 9.3 (Critical)
- At this time, there is no evidence of confirmed exploitation affecting PTC customers
- If you do not have an eSupport login, you can access the remediation steps here: Windchill & FlexPLM Response Center
This is a printer-friendly version of Article 466318 and may be out of date. For the latest version click CS466318