Skip to main content

DELMIA Service Process Engineer EUVDEUVD-2026-33604

| CVE-2026-9024 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 3DS.Information-Security@3ds.com GHSA-275h-jpxv-7884
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 09:32 vuln.today

DescriptionCVE.org

A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user's browser session.

AnalysisAI

Stored cross-site scripting in Dassault Systèmes DELMIA Service Process Engineer (Process Experience Studio component) across releases 3DEXPERIENCE R2024x through R2026x allows an authenticated low-privilege attacker to inject persistent script payloads that execute in another user's browser session. With a CVSS 3.1 base of 8.7 driven by scope change and high confidentiality/integrity impact, successful exploitation can compromise the victim's 3DEXPERIENCE session data and authority across trust boundaries. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The flaw is a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue in the Process Experience Studio module of DELMIA Service Process Engineer, a PLM/manufacturing-engineering web application that runs on Dassault Systèmes' 3DEXPERIENCE platform. Stored XSS arises when user-supplied content (such as field values, process definitions, or annotations entered into Studio) is persisted server-side and later rendered into another user's authenticated DOM without proper output encoding or contextual escaping, letting attacker-controlled HTML/JavaScript execute under the victim's origin. The CVSS scope change (S:C) indicates the injected script can affect resources beyond the vulnerable component - typical of XSS that pivots into the broader 3DEXPERIENCE single-sign-on session.

RemediationAI

Patch availability is not explicit in the supplied data, so apply the fix described in the Dassault Systèmes advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2026-9024 - typically delivered as a Fix Pack or Hot Fix for each affected 3DEXPERIENCE release (R2024x, R2025x, R2026x). Until the patch is deployed, restrict Process Experience Studio authoring privileges to a minimal set of trusted users (the attack requires PR:L), audit recently-modified Studio content for suspicious HTML/JS or unusual attributes, and enable a strict Content Security Policy on the 3DEXPERIENCE web tier to limit inline-script execution - noting that an over-tight CSP can break legitimate Studio widgets and should be tested in a non-production tenant first. Consider routing 3DEXPERIENCE traffic through a WAF with XSS signatures as a temporary detective control, accepting the false-positive cost on engineering payloads.

Share

EUVD-2026-33604 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy