CVE-2025-40587
Undergoing Analysis Undergoing Analysis - In Progress
Stored XSS in Polarion Document Titles Allows Remote Attack

Publication date: 2026-02-10

Last updated on: 2026-02-10

Assigner: Siemens AG

Description
A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by creating specially crafted document titles that are later viewed by other users of the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-40587
EUVD
EUVD-2025-207262
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
siemens polarion to 2404.5 (exc)
siemens polarion to 2410.2 (exc)
siemens polarion From 2506 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue found in Siemens Polarion software versions prior to V2404.5 and V2410.2. It allows an authenticated remote attacker to inject arbitrary JavaScript code into document titles. When other users view these specially crafted document titles, the malicious JavaScript code executes, leading to a stored XSS attack.

Impact Analysis

[{'type': 'paragraph', 'content': "The impact of this vulnerability includes the potential for attackers to execute malicious scripts in the context of other users' browsers. This can lead to unauthorized access to sensitive information (high confidentiality impact), partial modification of data (low integrity impact), and could compromise user sessions or perform actions on behalf of users without their consent. The vulnerability requires low privileges and user interaction but can be exploited remotely over the network."}] [1]

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves identifying whether your Polarion installation is running a vulnerable version prior to V2404.5 or V2410.2 and checking for the presence of specially crafted document titles containing arbitrary JavaScript code.

Since the vulnerability allows stored cross-site scripting via document titles, you can inspect document titles in the Polarion application for suspicious JavaScript code.

There are no specific commands provided in the resources to detect this vulnerability on your network or system.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the affected Polarion software to a fixed version: V2404.5, V2410.2, or later.'}, {'type': 'paragraph', 'content': "Additionally, Siemens recommends applying product-specific updates and following general security best practices, including protecting network access with appropriate mechanisms and configuring the environment according to Siemens' operational guidelines for Industrial Security."}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40587. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart