CVE-2026-9024 PUBLISHED

Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x

Assigner: 3DS
Reserved: 19.05.2026 Published: 01.06.2026 Updated: 01.06.2026

A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user's browser session.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score: 8.7

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Dassault Systèmes
Product	DELMIA Service Process Engineer
Versions	Default: unaffected affected from Release 3DEXPERIENCE R2024x Golden to 3DEXPERIENCE R2024x FP.CFA.2537 (incl.) affected from Release 3DEXPERIENCE R2025x Golden to 3DEXPERIENCE R2025x FP.CFA.2541 (incl.) Version Release 3DEXPERIENCE R2026x Golden is affected

References

https://www.3ds.com/trust-center/security/security-advisories/cve-2026-9024

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE