The vulnerability, tracked as CVE-2026-12569, is an unsafe deserialization flaw that enables remote code execution. It’s located in the web-based Windchill PDMLink product data management component.
| Vendor | Product | Versions |
|---|---|---|
| ptc | flexplm | 0, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0, 0, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0, multiple versions |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| ptc | ptc flexplm | cert_advisory | 90% |
| ptc | ptc windchill | cert_advisory | 90% |
| ptc | windchill_pdmlink | cve_cpe | 95% |
Updated severity to CRITICAL, added CVSS score of 9.3, and included new indicators of compromise and a new patch version.
Updated description with new technical details, changed severity to CRITICAL, and updated CVSS score to 9.3, along with new IoCs.
Updated description with technical details, changed severity to HIGH, and added IoCs.
Updated description with technical details, added affected version 11.0 M030, changed severity to CRITICAL, updated CVSS score to 10.0, and provided patch release date of 15.06.2026.
Updated severity to CRITICAL, added new description with details on improper input validation, and noted that no exploit is available.
Initial creation
