{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3476", "assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "state": "PUBLISHED", "assignerShortName": "3DS", "dateReserved": "2026-03-03T13:13:51.497Z", "datePublished": "2026-03-16T11:48:18.815Z", "dateUpdated": "2026-03-17T03:55:29.037Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "shortName": "3DS", "dateUpdated": "2026-03-16T15:20:08.776Z"}, "title": "Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "affected": [{"vendor": "Dassault Syst\u00e8mes", "product": "SOLIDWORKS Desktop", "versions": [{"status": "affected", "version": "Release 2025 SP0", "lessThanOrEqual": "Release 2025 SP5", "versionType": "custom"}, {"status": "affected", "version": "Release 2026 SP0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file."}]}], "references": [{"url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2026-3476"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "credits": [{"lang": "en", "value": "Sim\u00f3n Marcote", "type": "finder"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-3476"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T03:55:29.037Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3476", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T18:44:12.672125Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:44:21.081Z"}}], "cna": {"title": "Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Sim\u00f3n Marcote"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dassault Syst\u00e8mes", "product": "SOLIDWORKS Desktop", "versions": [{"status": "affected", "version": "Release 2025 SP0", "versionType": "custom", "lessThanOrEqual": "Release 2025 SP5"}, {"status": "affected", "version": "Release 2026 SP0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2026-3476"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file.", "supportingMedia": [{"type": "text/html", "value": "A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "shortName": "3DS", "dateUpdated": "2026-03-16T15:20:08.776Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3476", "state": "PUBLISHED", "dateUpdated": "2026-03-17T03:55:29.037Z", "dateReserved": "2026-03-03T13:13:51.497Z", "assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433", "datePublished": "2026-03-16T11:48:18.815Z", "assignerShortName": "3DS"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file."}], "id": "CVE-2026-3476", "lastModified": "2026-03-16T16:16:16.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "3DS.Information-Security@3ds.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:48.130", "references": [{"source": "3DS.Information-Security@3ds.com", "url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2026-3476"}], "sourceIdentifier": "3DS.Information-Security@3ds.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "3DS.Information-Security@3ds.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[Release 2025 SP0, Release 2025 SP5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Release 2026 SP0"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "SOLIDWORKS Desktop", "source": "cna", "vendor": "Dassault Syst\u00e8mes"}, "product": "solidworks_edrawings", "vendor": "dassault_syst\u00e8mes"}], "analysis": {"en": {"generated_at": "2026-03-17T06:20:48.723843+00:00", "value": {"mitigation_remediation": ["Check Dassault\u202fSyst\u00e8mes\u2019 security advisory for an official patch or update and apply it immediately.", "Verify that your SOLIDWORKS Desktop installation is not a Release\u202f2025 or Release\u202f2026 build; if it is, treat it as vulnerable until patched.", "Avoid opening files from unknown or untrusted sources until the vulnerability is patched.", "Maintain up\u2011to\u2011date anti\u2011virus or endpoint protection to detect malicious files.", "Monitor logs for abnormal execution of SOLIDWORKS processes that may indicate exploitation attempts."], "summary": {"action": "Patch Immediately", "impact": "Code Execution"}, "threat_synthesis": {"affected_systems": "Any installation of SOLIDWORKS Desktop that falls within Release\u202f2025 or Release\u202f2026 is vulnerable; no specific sub\u2011versions or build numbers are listed, and available patches are not provided in the advisories.", "description_and_impact": "A code injection flaw (CWE\u201194) in Dassault\u202fSyst\u00e8mes SOLIDWORKS Desktop releases 2025 through 2026 allows an attacker to execute arbitrary code on the user\u2019s machine when a specially crafted file is opened. Key detail from CVE description: the vulnerability is triggered during file processing, providing code execution under the current user\u2019s context and potentially granting full access to the system if the user is an administrator.", "risk_and_exploitability": "The CVSS score of 7.8 indicates moderate\u2011to\u2011high severity, while the EPSS of less than 1\u202f% suggests a low current likelihood of exploitation. Based on the description, it is inferred that the attacker must supply a malicious file that the user opens, implying a local, user\u2011initiated attack vector. The vulnerability is not listed in CISA\u2019s KEV catalog and thus is not known to be actively exploited in the wild. Until an official patch is released, the risk persists for all affected installations, especially for environments that routinely process untrusted design files."}}}}, "created": "2026-03-24T10:44:53.421908+00:00", "updated": "2026-03-30T08:00:25.425161+00:00", "vendors": ["dassault_syst\u00e8mes", "dassault_syst\u00e8mes$PRODUCT$solidworks_edrawings"]}