CVE-2026-9024: Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x
A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user's browser session.
Metrics
- CVSS v3.1
- 8.7
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A stored cross-site scripting (XSS) vulnerability affects the Process Experience Studio component in Dassault Systèmes DELMIA Service Process Engineer, covering releases 3DEXPERIENCE R2024x through R2026x. The vulnerability is reachable over the network and requires a low-privilege account; a victim must interact with attacker-controlled content in their browser session before the payload fires. Successful exploitation lets an attacker run arbitrary JavaScript in the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as a fix version is released.
HarborGuard Coverage
Detection of CVE-2026-9024 is available across every HarborGuard environment: the CVE record is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that package affected DELMIA Service Process Engineer components.
AvailableTriage is available using the CVSS v3.1 score of 8.7 (HIGH), weighted against each customer organization's compliance policy to determine urgency; findings are routed automatically to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableBecause no fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to limit exposure of the affected service.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected DELMIA Service Process Engineer instance over the network (AV:N); no local or physical access is required.
- AuthenticationRequired
The attacker must hold at least a low-privilege account on the platform; unauthenticated access is not sufficient to inject the stored payload (PR:L).
- Victim interactionRequired
A logged-in user must open or interact with a page containing the attacker's stored payload before the malicious script executes in their browser session (UI:R).
- Attack complexityDetail
Exploitation is reliable and requires no special race conditions or environmental prerequisites; the attack succeeds consistently once the payload is stored and the victim loads the affected page (AC:L).
Blast Radius
- An attacker's JavaScript runs in the victim's authenticated browser session, giving access to session tokens and cookies scoped to the 3DEXPERIENCE platform.
- Sensitive data visible to the victim, such as process design records and service engineering documents, can be read and exfiltrated.
- The attacker can perform state-changing actions within the platform on the victim's behalf, including modifying or deleting process configurations.
- Because the scope is changed (S:C in the CVSS vector), the impact can extend beyond the immediate application to other browser-accessible resources in the same origin context.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix has been published for CVE-2026-9024, HarborGuard monitors the Dassault Systèmes advisory on every ingest cycle and will automatically make a patched-image rebuild available for affected environments the moment a fix version is released. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and open a pull request against affected workloads without manual intervention. While no patch exists, HarborGuard surfaces compensating-control recommendations including network-policy isolation to restrict inbound access to the affected DELMIA Service Process Engineer service, egress filtering to limit data exfiltration paths, and feature-flag gating to disable the Process Experience Studio component where operationally feasible. Customers can track advisory status directly on this CVE page, which updates automatically as new information is ingested.
- Dassault Systèmes / DELMIA Service Process Engineer≤ 3DEXPERIENCE R2024x FP.CFA.2537 · ≤ 3DEXPERIENCE R2025x FP.CFA.2541 · Release 3DEXPERIENCE R2026x Golden
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N