Description
A Reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIAvpm Web Access from ENOVIAvpm Version 1 Release 16 through ENOVIAvpm Version 1 Release 19 allows an attacker to execute arbitrary script code in user's browser session.
Published: 2026-02-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side Script Execution
Action: Apply Patch
AI Analysis

Impact

The flaw is a reflected Cross‑Site Scripting (XSS) vulnerability that allows an attacker to execute arbitrary script code in the victim’s browser session whenever a malicious request is made to ENOVIAvpm Web Access. The vulnerability is a classic input validation weakness (CWE‑79). The potential impact is limited to execution of code within the victim’s browser context; the CVE description does not indicate additional data exfiltration or session hijacking beyond that scope.

Affected Systems

Dassault Systèmes ENOVIAvpm Web Access versions 1 Release 16 through 1 Release 19 are affected. Systems running any of these releases should confirm their installed version and take remediation action.

Risk and Exploitability

The CVSS score of 8.7 signals a high severity flaw. The EPSS score of < 1 % shows that exploitation has not been observed in the wild and is likely low. Because the flaw is reflected XSS, an attacker would need to craft a malicious URL or input and persuade a user to load it, so the attack vector requires user interaction with a malformed request. The vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation at present.

Generated by OpenCVE AI on April 18, 2026 at 12:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that the ENOVIAvpm Web Access installation is running a vulnerable release 1 Release 16 through 1 Release 19.
  • Apply the vendor‑supplied patch or upgrade to a non‑vulnerable release beyond 1 Release 19.
  • Configure the application or a Web Application Firewall to filter or encode user input before it is reflected back in responses.
  • Use a security tool to scan for XSS exposures in the deployed application and monitor logs for unexpected script execution.

Generated by OpenCVE AI on April 18, 2026 at 12:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Dassault Systemes
Dassault Systemes enoviavpm Web Access
Vendors & Products Dassault Systemes
Dassault Systemes enoviavpm Web Access

Mon, 16 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIAvpm Web Access from ENOVIAvpm Version 1 Release 16 through ENOVIAvpm Version 1 Release 19 allows an attacker to execute arbitrary script code in user's browser session.
Title Reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIAvpm Web Access from ENOVIAvpm Version 1 Release 16 through ENOVIAvpm Version 1 Release 19
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Dassault Systemes Enoviavpm Web Access
cve-icon MITRE

Status: PUBLISHED

Assigner: 3DS

Published:

Updated: 2026-02-17T14:53:09.223Z

Reserved: 2026-02-06T12:38:59.679Z

Link: CVE-2026-2101

cve-icon Vulnrichment

Updated: 2026-02-17T14:53:05.636Z

cve-icon NVD

Status : Deferred

Published: 2026-02-16T17:18:09.003

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:15:15Z

Weaknesses