Description
A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user's browser session.
Published: 2026-06-01
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the Process Experience Studio module of DELMIA Service Process Engineer. The flaw enables an attacker to embed malicious script payloads in data fields that are later rendered within users’ browsers. When an affected user views the stored data, the browser executes the injected script, potentially resulting in session hijacking, credential theft, or defacement of the application.

Affected Systems

Dassault Systèmes DELMIA Service Process Engineer is affected. The issue spans Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x.

Risk and Exploitability

The CVSS score of 8.7 reflects a high‑impact, client‑side flaw. No EPSS score is available, and the vulnerability is not listed in CISA KEV, so the exploitation probability remains uncertain. Attackers would likely need the ability to insert data into the affected fields—either by leveraging legitimate user credentials or by compromising a user account with write access. The attack vector is client‑side, depending on stored inputs that are rendered in the victim’s browser.

Generated by OpenCVE AI on June 1, 2026 at 10:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to a fixed release that addresses this stored XSS flaw
  • Sanitize and encode all user‑provided data before storing or displaying it to prevent script injection
  • Implement a strict Content Security Policy that limits inline script execution and restricts sources to trusted domains

Generated by OpenCVE AI on June 1, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Dassault
Dassault delmia Service Process Engineer
Vendors & Products Dassault
Dassault delmia Service Process Engineer

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user's browser session.
Title Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Dassault Delmia Service Process Engineer
cve-icon MITRE

Status: PUBLISHED

Assigner: 3DS

Published:

Updated: 2026-06-01T13:06:19.522Z

Reserved: 2026-05-19T15:19:39.513Z

Link: CVE-2026-9024

cve-icon Vulnrichment

Updated: 2026-06-01T13:06:15.792Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T09:16:21.413

Modified: 2026-06-01T17:57:39.180

Link: CVE-2026-9024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')