HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-10094Published Modified CNA 3DS

CVE-2026-10094: Path Traversal vulnerability affecting SOLIDWORKS Visualize from SOLIDWORKS Desktop Release 2024 through SOLIDWORKS Desktop Release 2026

A Path Traversal vulnerability affecting SOLIDWORKS Visualize from SOLIDWORKS Desktop Release 2024 through SOLIDWORKS Desktop Release 2026 could allow an attacker to write arbitrary files on the server.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in SOLIDWORKS Visualize (Desktop Releases 2024 through 2026) allows a remote, unauthenticated attacker to write arbitrary files on the host system. The vulnerability is reachable over the network with no authentication and no user interaction required, as indicated by the CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives an attacker full write access to the filesystem, enabling remote code execution, data destruction, or persistent backdoor installation. No fix versions have been published by the vendor; HarborGuard is tracking this advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-10094 is available across every HarborGuard environment. Once the CVE is ingested from upstream advisory feeds (typically within minutes of publication), it is matched against all customer images in connected registries and CI/CD pipelines, including internally built images that bundle SOLIDWORKS Visualize components.

Available
Triage

Triage is available with the full CVSS v3.1 score of 9.8 (Critical) applied automatically, weighted against each customer organization's per-environment compliance policy to determine urgency tier. Routed findings land in the appropriate team inbox based on ownership rules configured in each customer's HarborGuard org.

Available
Patch

Because no upstream fix versions have been published for this vulnerability, HarborGuard re-checks the Dassault Systemes advisory each ingest cycle. The moment an upstream patch is released, a patched-image rebuild at the fixed version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a pull request opened against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service must be reachable over the network; an attacker can send a crafted request from any internet-accessible or internal network position without needing physical access.

  • AuthenticationNot required

    No account or credential of any privilege level is needed to trigger the path traversal; the endpoint accepts unauthenticated requests.

  • Victim interactionNot required

    The attacker does not need to trick or wait for any user action; exploitation can proceed entirely server-side.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

Blast Radius

  • Writes arbitrary files to any path the SOLIDWORKS Visualize process has access to on the host filesystem, enabling placement of web shells, cron jobs, or other persistent execution hooks.
  • Overwrites existing application or configuration files, which can corrupt the service, escalate privileges, or redirect internal traffic.
  • Full confidentiality and integrity of host data is at risk (CVSS C:H/I:H), meaning stored project files, credentials cached on disk, and application secrets can be overwritten or replaced.
  • The availability impact is rated High (A:H), so targeted writes can render the SOLIDWORKS Visualize service and dependent workflows completely inoperable.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-10094 at this time, the recommended posture is active monitoring combined with compensating controls. HarborGuard re-evaluates the Dassault Systemes advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published; customers with auto-remediation enabled will receive that rebuild plus a regression test run and an automated PR against affected workloads without manual intervention. In the interim, compensating controls worth applying at the environment level include network-policy isolation that restricts inbound access to SOLIDWORKS Visualize endpoints to known, trusted source addresses; egress filtering to limit what the process can reach if it is exploited; and, where operationally feasible, disabling or gating the Visualize service behind an authenticated reverse proxy. Customers should review their HarborGuard compliance policy settings to ensure this Critical-rated finding is routed with appropriate urgency to the owning team.

See how HarborGuard automates this
Affected packages
  • Dassault Systèmes / SOLIDWORKS Visualize
    ≤ SOLIDWORKS Desktop Release 2024 SP5 · ≤ SOLIDWORKS DesktopRelease 2025 SP5 · ≤ SOLIDWORKS Desktop Release 2026 SP2.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References