CVE-2026-9024

Vulnerability

A Stored Cross-site Scripting (XSS) vulnerability exists in the Process Experience Studio component of DELMIA Service Process Engineer. The bug affects all releases from 3DEXPERIENCE R2024x through R2026x. The vulnerable code path does not properly sanitize user-supplied input before storing it, allowing malicious scripts to be persisted and served to other users when the stored content is rendered in the browser [1].

Exploitation

An attacker must have authenticated access to the affected application and the ability to submit crafted input to a field or parameter that is later displayed to other users. No additional network position or privileges are required beyond standard user-level access. The attacker injects JavaScript code into a stored element; when a victim views the tampered content in their browser session, the script executes automatically [1].

Impact

Successful exploitation leads to arbitrary script code execution in the victim's browser session, within the security context of the application. The attacker may steal session cookies, modify page content, redirect the victim, or perform other actions that the user's browser session permits, potentially leading to further compromise of the user's account and data [1].

Mitigation

Dassault Systèmes has not yet published a fixed version or workaround in the available references [1]. Users should monitor the vendor's security advisory page for patches. As a general practice, applying input validation and output encoding in the application may reduce risk, but no official mitigation is disclosed at this time.