CVE-2026-9024 Dassault Systèmes CVE debrief

Who should care

Organizations using DELMIA Service Process Engineer within 3DEXPERIENCE R2024x–R2026x, particularly those with multi-user Process Experience Studio deployments where stored content is shared across sessions. Security teams responsible for PLM/MES platform hardening and application security engineers managing XSS defenses in enterprise engineering software.

Technical summary

The vulnerability exists in the Process Experience Studio component of DELMIA Service Process Engineer, part of the 3DEXPERIENCE platform. A stored XSS flaw (CWE-79) allows script injection that persists and executes in other users' browser sessions. Affected versions span from Release 3DEXPERIENCE R2024x through R2026x. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, user interaction required, changed scope, high confidentiality and integrity impact, and no availability impact. The vendor has issued a dedicated security advisory. NVD analysis is pending as of publication.

Defensive priority

HIGH

Recommended defensive actions

• Apply security updates from Dassault Systèmes when available per vendor advisory
• Review and restrict user permissions within Process Experience Studio to least-privilege principles
• Implement Content Security Policy (CSP) headers and output encoding defenses for web-based 3DEXPERIENCE components
• Monitor for anomalous script execution or unauthorized data access within DELMIA Service Process Engineer sessions
• Validate that input fields in Process Experience Studio sanitize user-supplied content before storage and rendering

Evidence notes

CVE published 2026-06-01; modified same day. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. Weakness: CWE-79. Vendor reference confirms Dassault Systèmes (3ds.com) as source. NVD status: Awaiting Analysis.

Official resources