CVE-2026-2101 is a reflected Cross-site Scripting (XSS) vulnerability identified in Dassault Systèmes ENOVIAvpm Web Access, affecting versions from V1R16 Golden through V1R19 Golden. The vulnerability arises from improper neutralization of user-supplied input during web page generation, categorized under CWE-79. This flaw allows an attacker to craft malicious URLs or web content that, when accessed by an authenticated user with at least limited privileges, executes arbitrary JavaScript code within the victim's browser session. The CVSS 3.1 base score of 8.7 reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), required privileges (PR:L), and requirement for user interaction (UI:R). The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The impact on confidentiality and integrity is high (C:H, I:H), while availability remains unaffected (A:N). This vulnerability could be exploited to steal session cookies, perform unauthorized actions on behalf of the user, or deliver further malware payloads. Although no public exploits are currently known, the high severity and widespread use of ENOVIAvpm in industrial design and manufacturing environments make this a critical issue. The lack of available patches at the time of publication necessitates immediate interim mitigations. The vulnerability is particularly concerning for environments where ENOVIAvpm is integrated into critical workflows, as successful exploitation could lead to significant data breaches and operational disruptions.

For European organizations, especially those in aerospace, automotive, and industrial design sectors that rely heavily on Dassault Systèmes ENOVIAvpm Web Access, this vulnerability poses a significant risk. Exploitation can lead to unauthorized disclosure of sensitive intellectual property, user credentials, and session tokens, compromising confidentiality. Integrity is also at risk as attackers could perform unauthorized actions within the application context, potentially altering design data or configurations. Although availability is not directly impacted, the indirect consequences of data manipulation or breach could disrupt business operations and damage reputations. The requirement for user interaction and limited privileges means targeted phishing or social engineering campaigns could be effective attack vectors. Given the critical role of ENOVIAvpm in product lifecycle management, exploitation could have cascading effects on supply chains and compliance with European data protection regulations such as GDPR. The absence of known exploits currently provides a window for proactive defense, but the high CVSS score underscores the urgency for mitigation.

1. Monitor Dassault Systèmes communications closely for official patches addressing CVE-2026-2101 and apply them promptly upon release. 2. Until patches are available, implement strict input validation and output encoding on all user-supplied data within ENOVIAvpm Web Access, focusing on contexts vulnerable to script injection. 3. Deploy Web Application Firewalls (WAFs) with updated signatures capable of detecting and blocking reflected XSS payloads targeting ENOVIAvpm endpoints. 4. Educate users on the risks of clicking unsolicited links and implement email filtering to reduce phishing attempts that could deliver malicious URLs. 5. Restrict ENOVIAvpm Web Access usage to trusted networks and consider VPN or zero-trust network access controls to limit exposure. 6. Conduct regular security assessments and penetration testing focusing on web application vulnerabilities to identify and remediate similar issues proactively. 7. Review and enforce least privilege principles for user accounts within ENOVIAvpm to minimize potential damage from compromised sessions. 8. Implement Content Security Policy (CSP) headers to reduce the impact of XSS by restricting the sources from which scripts can be loaded.