Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user's browser session.
AnalysisAI
Stored cross-site scripting in Dassault Systèmes DELMIA Service Process Engineer (Process Experience Studio component) across releases 3DEXPERIENCE R2024x through R2026x allows an authenticated low-privilege attacker to inject persistent script payloads that execute in another user's browser session. With a CVSS 3.1 base of 8.7 driven by scope change and high confidentiality/integrity impact, successful exploitation can compromise the victim's 3DEXPERIENCE session data and authority across trust boundaries. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The flaw is a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue in the Process Experience Studio module of DELMIA Service Process Engineer, a PLM/manufacturing-engineering web application that runs on Dassault Systèmes' 3DEXPERIENCE platform. Stored XSS arises when user-supplied content (such as field values, process definitions, or annotations entered into Studio) is persisted server-side and later rendered into another user's authenticated DOM without proper output encoding or contextual escaping, letting attacker-controlled HTML/JavaScript execute under the victim's origin. The CVSS scope change (S:C) indicates the injected script can affect resources beyond the vulnerable component - typical of XSS that pivots into the broader 3DEXPERIENCE single-sign-on session.
RemediationAI
Patch availability is not explicit in the supplied data, so apply the fix described in the Dassault Systèmes advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2026-9024 - typically delivered as a Fix Pack or Hot Fix for each affected 3DEXPERIENCE release (R2024x, R2025x, R2026x). Until the patch is deployed, restrict Process Experience Studio authoring privileges to a minimal set of trusted users (the attack requires PR:L), audit recently-modified Studio content for suspicious HTML/JS or unusual attributes, and enable a strict Content Security Policy on the 3DEXPERIENCE web tier to limit inline-script execution - noting that an over-tight CSP can break legitimate Studio widgets and should be tested in a non-production tenant first. Consider routing 3DEXPERIENCE traffic through a WAF with XSS signatures as a temporary detective control, accepting the false-positive cost on engineering payloads.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33604
GHSA-275h-jpxv-7884