VYPR
Unrated severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026

Critical Remote Code Execution vulnerability reported in Windchill

CVE-2026-4681

Description

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.

This issue affects Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0; FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0.

Affected products

4
  • Ptc/Windchill PDMLinkllm-create2 versions
    = 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13. 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0+ 1 more
    • (no CPE)range: = 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13. 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0
    • (no CPE)range: 11.0 M030
  • Ptc/FlexPLMllm-create2 versions
    = 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0+ 1 more
    • (no CPE)range: = 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0
    • (no CPE)range: 11.0 M030

Patches

Vulnerability mechanics

References

1

News mentions

2