CVE-2026-9024: Stored XSS in DELMIA Service Process Engineer Process Experience Studio
A stored cross-site scripting (XSS) vulnerability exists in DELMIA Service Process Engineer's Process Experience Studio component across multiple releases. An attacker with user-level access can inject malicious scripts that persist in the application, executing in the browsers of other users who view the affected content. This allows unauthorized access to sensitive data or actions performed on behalf of victims within their authenticated sessions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user's browser session.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9024 is a stored XSS vulnerability (CWE-79) affecting Process Experience Studio in DELMIA Service Process Engineer Release 3DEXPERIENCE R2024x through R2026x. The vulnerability requires authenticated access (PR:L) and user interaction (UI:R) but impacts multiple users across trust boundaries (S:C), with high confidentiality and integrity impact. The CVSS 3.1 score of 8.7 reflects the ability to compromise user sessions and manipulate application behavior without directly disrupting service availability.
Business impact
Compromised user sessions within DELMIA Service Process Engineer can lead to unauthorized process modifications, data theft, or execution of malicious actions appearing to originate from legitimate users. For organizations relying on DELMIA for manufacturing and service process management, this could result in process integrity violations, regulatory compliance issues if sensitive manufacturing data is exfiltrated, and erosion of audit trail reliability. The stored nature of the vulnerability amplifies risk by affecting multiple users over time rather than requiring individual target interaction.
Affected systems
DELMIA Service Process Engineer is affected across Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x. The vulnerability is specific to the Process Experience Studio component. Organizations running these releases in their production environments are at risk. No patch version information is provided in the current advisory; vendors and users should verify patch availability and applicability against the official vendor security advisory.
Exploitability
Exploitation requires valid user credentials and the ability to submit content (such as process definitions or templates) that persists within Process Experience Studio. An attacker must then manipulate another user into viewing the malicious content. While not trivial, the attack does not require sophisticated techniques—basic XSS injection patterns are often sufficient. The required authentication barrier moderates exposure compared to unauthenticated XSS, but the stored nature and broad user base within typical DELMIA deployments increase practical risk.
Remediation
Organizations should apply security patches from Dassault Systèmes as they become available. Until patching is possible, implement input validation and output encoding controls at the application level, restrict Process Experience Studio access to trusted users, and monitor for suspicious process content submissions. Review stored process definitions and templates for signs of script injection, particularly JavaScript payloads in name fields, descriptions, or custom properties.
Patch guidance
Consult Dassault Systèmes security advisories for patch releases applicable to your specific Release version (R2024x through R2026x). Prioritize patching production instances managing critical manufacturing or service processes. Test patches in non-production environments first, as Process Experience Studio is often deeply integrated with enterprise workflows. Verify that patching does not require data migration or process definition updates before deploying to production.
Detection guidance
Monitor Process Experience Studio audit logs for submissions of unusually large or complex process definitions, particularly those containing script-like syntax in fields that should contain only text or identifiers. Deploy web application firewalls (WAF) rules to detect stored XSS payloads in request bodies targeting DELMIA. Review stored process templates for embedded JavaScript, event handlers (onload, onerror, etc.), or suspicious iframe or script tags. User behavior analytics may flag accounts creating or modifying multiple processes in unusual patterns.
Why prioritize this
The combination of high CVSS score (8.7), stored persistence, cross-user impact (S:C), high confidentiality and integrity risk, and the requirement for only user-level authentication makes this a significant priority for patching. Manufacturing and service engineering environments are high-value targets; compromise of process definitions could cascade into physical world consequences. The vulnerability is not yet in the CISA KEV catalog, suggesting limited public exploitation, but the stored XSS vector is well-understood and likely to attract attention once patches are released.
Risk score, explained
The CVSS 3.1 score of 8.7 (HIGH) reflects: network-accessible attack vector with low complexity, low privilege requirements, and necessary user interaction. The cross-boundary scope (S:C) and high impact to confidentiality and integrity (C:H/I:H) elevate the score. Availability is not impacted (A:N) because the vulnerability does not disrupt service—it hijacks user sessions. The score appropriately weights the authenticated requirement against the broad user impact within a typical organizational DELMIA deployment.
Frequently asked questions
Does this vulnerability allow an attacker to modify manufacturing processes without authentication?
No. The vulnerability requires valid user credentials to inject malicious content into Process Experience Studio. However, once injected, the malicious script executes in the browsers of any user viewing that content, potentially allowing the attacker to perform actions as those victims.
What is the difference between this stored XSS and a typical reflected XSS?
Stored XSS persists in the application database, affecting all users who access the compromised content over time. Reflected XSS requires the attacker to trick each victim into clicking a malicious link. Stored XSS is generally higher risk because the attacker only needs to inject once to compromise multiple users.
Is there a patch available now?
Patch information has not been included in the current advisory data. Contact Dassault Systèmes directly or monitor their security portal for patch releases applicable to your Release version. Do not assume patches are available; verify before communicating timelines to stakeholders.
Should we disable Process Experience Studio until a patch is available?
Disabling may not be practical if the component is critical to your operations. Instead, restrict Studio access to a minimal trusted user group, increase monitoring and logging, and maintain an expedited patching plan for when fixes are released. Risk tolerance and business impact should guide your mitigation strategy.
This analysis is based on information available as of the publication date and does not constitute professional security advice. Organizations should conduct their own risk assessments, consult Dassault Systèmes official security advisories, and engage their security teams before implementing remediation. No exploit code or weaponized proof-of-concept is provided herein. Patch version numbers, KEV status, and specific affected product SKUs must be verified against authoritative vendor advisories before deployment decisions. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)