Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A Code Injection vulnerability affecting in SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file.
AnalysisAI
A code injection vulnerability in SOLIDWORKS Desktop releases 2025 through 2026 allows attackers to execute arbitrary code on victim machines by tricking users into opening specially crafted files. The vulnerability requires local access and user interaction but provides complete system compromise with high impact to confidentiality, integrity, and availability (CVSS 7.8). No evidence of active exploitation or proof-of-concept code has been reported.
Technical ContextAI
The vulnerability affects Dassault Systèmes SOLIDWORKS Desktop software (CPE: cpe:2.3:a:dassault_systèmes:solidworks_desktop:*:*:*:*:*:*:*:*), a professional 3D CAD application widely used in engineering and manufacturing. The root cause is improper input validation leading to code injection (CWE-94), where the application fails to properly sanitize or validate data within specially crafted files before processing them. This allows malicious code embedded in the file to be interpreted and executed by the application with the privileges of the current user.
RemediationAI
Users should immediately check the 3DS security advisory at https://www.3ds.com/trust-center/security/security-advisories/CVE-2026-3476 for patch availability and upgrade instructions for SOLIDWORKS Desktop. Until patches are applied, implement compensating controls including restricting SOLIDWORKS file sources to trusted origins only, scanning files with updated antivirus before opening, and educating users about the risks of opening SOLIDWORKS files from untrusted sources or unexpected emails. Consider implementing application sandboxing or virtualization for high-risk users who must work with external files.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12419