Description
A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Published: 2026-03-31
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the Document Management component of Dassault Systèmes ENOVIA Collaborative Industry Innovator. The flaw allows a malicious user to store script code that is later rendered in other users’ browsers, enabling arbitrary client‑side code execution. This can lead to session hijacking, the theft of sensitive data, or interface defacement. The weakness is characterized as CWE‑79.

Affected Systems

The vulnerability impacts Dassault Systèmes ENOVIA Collaborative Industry Innovator in 3DEXPERIENCE releases from R2023x through R2025x.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, yet the EPSS score of less than 1% reflects a low probability of exploitation. The issue is not listed in the CISA KEV catalog. Attackers would need to inject malicious content via the document submission or management interface; the content is stored and later served to users, providing the attack vector.

Generated by OpenCVE AI on April 13, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security release from Dassault Systèmes for ENOVIA Collaborative Industry Innovator, which addresses the stored XSS issue.

Generated by OpenCVE AI on April 13, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared 3ds
3ds 3dexperience
CPEs cpe:2.3:o:3ds:3dexperience:*:*:*:*:*:*:*:*
Vendors & Products 3ds
3ds 3dexperience

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Dassult
Dassult enovia Collaborative Industry Innovator
Vendors & Products Dassult
Dassult enovia Collaborative Industry Innovator

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.
Title Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

3ds 3dexperience
Dassult Enovia Collaborative Industry Innovator
cve-icon MITRE

Status: PUBLISHED

Assigner: 3DS

Published:

Updated: 2026-03-31T13:45:07.096Z

Reserved: 2025-09-16T12:56:32.752Z

Link: CVE-2025-10551

cve-icon Vulnrichment

Updated: 2026-03-31T13:45:02.860Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T09:16:21.623

Modified: 2026-04-13T13:28:22.133

Link: CVE-2025-10551

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:28Z

Weaknesses